We have discovered a couple of security holes in the Examples and the
Admin servlets in the 0.5 release.
The vulnerability in Examples is that the "View Source" link in the
Examples sidebar can be used to view arbitrary files on the host system.
In the Admin context, the password protected pages, ( just AppControl in
0.5) were sharing a session variable with the Examples/SecureCountVisits
servlet. This permitted a user to login to the Example secure page, and
get access to the AppControl servlet.
These issues have been fixed and a 0.5.1 release candidate has been
placed on sourceforge ftp.
Get it from http://webware.sourceforge.net
Alternatively, you can disable the Examples and Admin contexts in
Please let the list know if you have any problems with the release
candidate. A final 0.5.1 Release won't be made until everyone is back
from Python 9 at the end of the week.