Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2016-4806, CVE-2016-4807, CVE-2016-4808 #1585

Open
apoleon opened this issue Mar 5, 2017 · 10 comments

Comments

Projects
None yet
5 participants
@apoleon
Copy link

commented Mar 5, 2017

Hello,

several security vulnerabilities were reported for web2py and they already got CVEs assigned. I could not find any information about them in your git repository. Are you aware of them and are there any fixes available?

https://security-tracker.debian.org/tracker/source-package/web2py

@brianmay

This comment has been minimized.

Copy link

commented Mar 6, 2017

The wording of the CVEs implies that this is fixed in 2.14.6. I am not sure that is correct, it could be that 2.14.5 was the latest release at the time.

Looks like the CVEs were allocated 2016-05-15 and version 2.14.6 was released 2016-05-10.

@brianmay

This comment has been minimized.

Copy link

commented Mar 6, 2017

Not sure if the following commits are significant, just looking at the changes in 2.14.6 by hand:

Unfortunately the details provided in the CVE don't allow for positive identification of the specific git commit that fixed the problem, and there are no references to the CVEs in the commits.

I don't think there is a CVE for this one:

@brianmay

This comment has been minimized.

Copy link

commented Mar 6, 2017

This also looks like a security fix:

@carnil

This comment has been minimized.

Copy link

commented Mar 6, 2017

@brianmay: re the CVE allocation question: That only means:

Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

@brianmay

This comment has been minimized.

Copy link

commented Mar 8, 2017

CVE-2016-4806 looks the most serious to me. Not sure what the scope of "intended user" means however. Can I please have confirmed if this has been fixed? None of the commits I have looked at after 2.14.5 look relevant.

@leonelcamara

This comment has been minimized.

Copy link
Contributor

commented Apr 6, 2017

@brianmay I've fixed 4806 here:
1b42fe6

Narendra Bhati who discovered these flaws was kind enough to report them to us before making them public.

The problem was that the admin app was allowing you to pack any file, now it validates that the files are in the applications folder. Note that you still needed to be logged in to the admin to exploit this. Sadly, there was also a vulnerability that made the admin vulnerable to a brute force attack which was fixed in the other commit by myself which you referred.

We believe the admin application is quite safe right now, still, there's no need to use it in production.

@mdipierro

This comment has been minimized.

Copy link
Contributor

commented Jun 20, 2017

@brianmay first of all thanks for reporting these issues? I apologize for not following closely. Do you think there is any major vulnerability still open that needs to addressed?

@brianmay

This comment has been minimized.

Copy link

commented Jun 21, 2017

I have no idea if web2py is still vulnerable or not. At the time I was trying to get a list of commits that fix the security issues, so I could try to back port to Debian wheezy security updates.

Apparently 1b42fe6 fixes a security issue, although this commit also contains a lot of unnecessary white space changes too. So hard to evaluate right now for back porting.

For future reference, would be really helpful if the commit message and the relevant bug report contained a reference to the CVE being fixed.

Thanks

@leonelcamara

This comment has been minimized.

Copy link
Contributor

commented Jun 21, 2017

@brianmay the relevant part of that commit is here:
1b42fe6#diff-9b613db67036bfc740fac6e1851ec011R412

That line and the ones following validates the files the user requested to be packed.

@mdipierro

This comment has been minimized.

Copy link
Contributor

commented Jun 21, 2017

OK. Unless objections I am going to close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.