Paste 1.7.4, security fix for XSS hole

34 views

Skip to first unread message

Ian Bicking

unread,

Jun 24, 2010, 3:07:36 AM6/24/10

to Paste Users, pylons...@googlegroups.com, pylons-discuss, turbogea...@googlegroups.com, repoz...@lists.repoze.org

Paste 1.7.4 is released. The only real change is to paste.httpexceptions, which was using insecure quoting of some parameters and allowed an XSS hole, most specifically with its 404 messages. The most notably WSGI application using this is paste.urlparse.StaticURLParser and PkgResourcesParser. By directing someone to an appropriately formed URL an attacker can execute arbitrary Javascript on the victim's client. paste.urlmap.URLMap is also affected, but only if you have no application attached to /. Other applications using paste.httpexceptions may be effected (especially HTTPNotFound). WebOb/webob.exc.HTTPNotFound is not affected.

I believe the changes to 1.7.4 are limited and upgrading will have a low impact.

This security hole was found by Tim Wintle <http://www.rubberrepublic.com/> and I think entirely separately just a couple days later by Georg-Christian Pranschke <http://sensepost.com>.

I'm sorry about this, I hope this won't cause you too much trouble.

--
Ian Bicking | http://blog.ianbicking.org

Wichert Akkerman

unread,

Jun 24, 2010, 3:33:13 AM6/24/10

to pylons-...@googlegroups.com, Ian Bicking, Paste Users, pylons...@googlegroups.com, repoz...@lists.repoze.org

On 6/24/10 09:07 , Ian Bicking wrote:
> I believe the changes to 1.7.4 are limited and upgrading will have a low
> impact.

Is there a changelog somewhere? The paste website still lists 1.7.3 as
the last release and the pypi page has no changelog information.

If I look at http://bitbucket.org/ianb/paste/src/30425672adf7/.hgtags
there are two 1.7.4 tags?