• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

ActivePython ActiveX Control Weak Default Security Policy Vulnerability

ActiveState's ActivePython is an implementation of the Python scripting language for the Microsoft Windows operating system. ActivePython is also available for Linux and Solaris. The default installation of ActivePython for Windows includes an ActiveX control which is registered as a script handler for the language. This handler allows the use of embedded client side Python scripts in web pages.

The ActiveX control included with ActivePython does not appear to modify the default policy associated with the RExec class. As a result, a malicious script included in a web page may be able to access file and directory contents. Clever use of this vulnerability could expose sensitive data to an outside source, possible through the use of HTTP requests for dynamically generated content.