On vulnerable XML-RPC servers, a remote attacker may be able to view or modify globals of the module(s) containing the registered instance's class(es), potentially leading to data loss or arbitrary code execution. If the registered object is a module, the danger is particularly serious. For example, if the registered module imports the os module, an attacker could invoke the os.system() function.

Python · Xml-rpc · 2005/04/01 · 1 COMMENT · Link

Comments

AFAIK fixed in both Python versions 2.3.5 (as of february 8th) and 2.4.1 (march 30).

Moreover, the ,,by hand'' fix was available since AFAIR february. So in this case it's rather a lame excuse and nothing more. ;-)

#1 · batou · 2005/04/01

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).