[issue5753] CVE-2008-5983 python: untrusted python modules search path

Jesús Cea Avión report at bugs.python.org
Tue Sep 28 05:25:17 CEST 2010


Jesús Cea Avión <jcea at jcea.es> added the comment:

This issue is equivalent to MS Windows DLL hijacking (the MS situation is worse, because the DDL can be in network shares or, even , in remote webdav servers):

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
http://news.cnet.com/8301-27080_3-20014625-245.html

When I learned about this attack, my first thought was "what if sys.path.index('')>=0?". Arg!.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5753>
_______________________________________


More information about the Python-bugs-list mailing list