Yesterday I was notified by ShellSecurity about what can be interpreted as a vulnerability in web2py. First of all I wish to thank them for professionally reporting about this issue.
The vulnerability consists in the fact that web2py uses pickle to serialize/deserialize cache, sessions, and tickets. A malicious attacker with write access to your server side cache, sessions, or tickets could modify them, inject code in them, and exploit the fact that when web2py de-serializes those files, the malicious code will be executed. I believe this vulnerability constitutes an acceptable risk for these reasons: - Those files are created by web2py code and read by web2py, and cannot originate from user input. Strings and numbers in them can but they cannot be exploited for this malicious purpose. So the attacker must have write access to the server file system and cannot compromise those files just from user input. - web2py stores those files in the applications folder which is the same location where web2py stores applications code and code is interpreted and executed by web2py. Hence an attacker capable of compromising those pickle files would also be able to modify your applications source code and would have a much easier life doing so. In fact application code can even be modified from the admin web interface unless it is disabled. In a production environment that would be an even bigger vulnerability. - It is up to the web2py users to protect access to the code as well as the server side cache/session/tickets files. - Changing this would break web2py. The ability to store arbitrary objects in cache and sessions using pickle was design choice that users rely on. In 2007 that seemed like a good idea. If this is an issue for you, know that this problem does not exist in py4web. The latter uses json in place of pickle. Json limits what you can store in cache/session/tickets but json is not subject to insecure object deserialization. py4web, like web2y, by default, stores those files in the same location as code but it gives you to option to harden access to code vs data, such as make the code readonly with strict write permissions while still allowing apps to write cache/session/tickets. That said, no matter what web framework you use, it is always your responsibility to ensure that write access to the code, or any file that may contain code (and pickles can), is protected from malicious attackers. Massimo -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/web2py/b6075a5d-7a0f-4250-b7ce-54940afd3dffn%40googlegroups.com.
