Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RCE vulnerability in default applications #1205

Closed
shaolin-tw opened this issue Mar 8, 2016 · 8 comments
Closed

RCE vulnerability in default applications #1205

shaolin-tw opened this issue Mar 8, 2016 · 8 comments

Comments

@shaolin-tw
Copy link

There are two vulnerabilities in sample code. A production server contained default applications could cause Remote Code Execution attack. The official site (web2py.com) is also affected.

According to the policy of Reporting Security Bugs, I can't describe more detail. To those web2py users: REMOVE default applications in production server is the safe way.
@jicho
Copy link
Contributor

jicho commented Mar 9, 2016

@shaolin-tw do you mean the example and welcome applications? Just to be sure :)

@shaolin-tw
Copy link
Author

@jicho yes, exactly!

@jicho
Copy link
Contributor

jicho commented Mar 9, 2016

@shaolin-tw thanks :)

@shaolin-tw
Copy link
Author

Hi All,
Could anyone tell me who should I contact to describe this issue? I sent email to mdipierro but no response. It is a serious problem. Attacker can hack web2py.com by these vulnerabilities directly.

Thanks

@mdipierro
Copy link
Contributor

was in spam. responding now.

@BuhtigithuB
Copy link
Contributor

Does that include Admin app and appadmin?

On Mon, Mar 14, 2016 at 1:29 PM, mdipierro notifications@github.com wrote:

was in spam. responding now.


Reply to this email directly or view it on GitHub
#1205 (comment).

@mdipierro
Copy link
Contributor

The problem is an information leak in one of the examples in the examples app.
If you publish the examples app using rocket it may expose your admin password.
This is because the purpose of the example was to dump the internal status of web2py.

If you remove the examples app from your production deployment, you are safe.
If you use a third party web server like nginx or apache you are also safe (and you should do that anyway in production).

The fix in trunk is twofold. 1) we remove the specific example that caused the information leak. 2) we changed some internals in order to prevent this from happening again.

Massimo

On Mar 15, 2016, at 8:20 AM, BuhtigithuB notifications@github.com wrote:

Does that include Admin app and appadmin?

On Mon, Mar 14, 2016 at 1:29 PM, mdipierro notifications@github.com wrote:

was in spam. responding now.


Reply to this email directly or view it on GitHub
#1205 (comment).


You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#1205 (comment)

@mdipierro
Copy link
Contributor

we have discussed this and decided to: 1) remove the example that exposes internals from the examples app. 2) remove the password from the global_settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jicho @mdipierro @shaolin-tw @BuhtigithuB