-
Notifications
You must be signed in to change notification settings - Fork 886
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RCE vulnerability in default applications #1205
Comments
@shaolin-tw do you mean the example and welcome applications? Just to be sure :) |
@jicho yes, exactly! |
@shaolin-tw thanks :) |
Hi All, Thanks |
was in spam. responding now. |
Does that include Admin app and appadmin? On Mon, Mar 14, 2016 at 1:29 PM, mdipierro notifications@github.com wrote:
|
The problem is an information leak in one of the examples in the examples app. If you remove the examples app from your production deployment, you are safe. The fix in trunk is twofold. 1) we remove the specific example that caused the information leak. 2) we changed some internals in order to prevent this from happening again. Massimo On Mar 15, 2016, at 8:20 AM, BuhtigithuB notifications@github.com wrote:
|
we have discussed this and decided to: 1) remove the example that exposes internals from the examples app. 2) remove the password from the global_settings. |
There are two vulnerabilities in sample code. A production server contained default applications could cause Remote Code Execution attack. The official site (web2py.com) is also affected.
According to the policy of Reporting Security Bugs, I can't describe more detail. To those web2py users: REMOVE default applications in production server is the safe way.
The text was updated successfully, but these errors were encountered: