CVE-2016-3957

Name of the Vulnerable Software and Affected Versions web2py versions prior to 2.14.2

Description The issue allows remote attackers to execute arbitrary code by leveraging knowledge of encryption key, potentially through deserialization of session information stored in cookies using the pickle.loads function in gluon/utils.py. Additionally, the sample web application might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. It is also possible for remote attackers to obtain the session cookie key value via a direct request to "examples/simple examples/status", which can be leveraged to execute arbitrary code.

Recommendations For versions prior to 2.14.2, update to version 2.14.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the session.connect function and the examples/simple examples/status endpoint until a patch is available. Avoid using hardcoded encryption keys in the sample web application.