Yesterday I was notified by ShellSecurity about what can be interpreted as 
a vulnerability in web2py. First of all I wish to thank them for 
professionally reporting about this issue.

The vulnerability consists in the fact that web2py uses pickle to 
serialize/deserialize cache, sessions, and tickets.

A malicious attacker with write access to your server side cache, sessions, 
or tickets could modify them, inject code in them, and exploit the fact 
that when web2py de-serializes those files, the malicious code will be 
executed.

I believe this vulnerability constitutes an acceptable risk for these 
reasons:

- Those files are created by web2py code and read by web2py, and cannot 
originate from user input. Strings and numbers in them can but they cannot 
be exploited for this malicious purpose. So the attacker must have write 
access to the server file system and cannot compromise those files just 
from user input.

- web2py stores those files in the applications folder which is the same 
location where web2py stores applications code and code is interpreted and 
executed by web2py.  Hence an attacker capable of compromising those pickle 
files would also be able to modify your applications source code and would 
have a much easier life doing so. In fact application code can even be 
modified from the admin web interface unless it is disabled. In a 
production environment that would be an even bigger vulnerability.

- It is up to the web2py users to protect access to the code as well as the 
server side cache/session/tickets files.

- Changing this would break web2py. The ability to store arbitrary objects 
in cache and sessions using pickle was design choice that users rely on. In 
2007 that seemed like a good idea.

If this is an issue for you, know that this problem does not exist in 
py4web. The latter uses json in place of pickle. Json limits what you can 
store in cache/session/tickets but json is not subject to insecure object 
deserialization.

py4web, like web2y, by default, stores those files in the same location as 
code but it gives you to option to harden access to code vs data, such as 
make the code readonly with strict write permissions while still allowing 
apps to write cache/session/tickets.

That said, no matter what web framework you use, it is always your 
responsibility to ensure that write access to the code, or any file that 
may contain code (and pickles can), is protected from malicious attackers.

Massimo

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/web2py/b6075a5d-7a0f-4250-b7ce-54940afd3dffn%40googlegroups.com.

Reply via email to