CVE-2023-45158: A web2py OS Command Injection Vulnerability

by do son · October 16, 2023

In the vast ocean of open-source web frameworks, web2py has long been revered as a versatile tool for rapid application development. Designed to be user-friendly, it empowers developers to adhere to the best software engineering practices by employing the Model-View-Controller (MVC) pattern. However, like many intricate systems, even web2py is not immune to vulnerabilities. Enter CVE-2023-45158: a potentially critical flaw that could expose systems to severe threats.

CVE-2023-45158 (CVSS score of 8.1) is an OS command injection vulnerability in the web2py web application framework. This means that an attacker could exploit this vulnerability to execute arbitrary commands on the web server using the product.

At its core, the vulnerability revolves around an OS command injection weakness, specifically when the notifySendHandler is activated for logging purposes. This flaw could offer an open door for attackers, allowing them to execute arbitrary commands on a web server. All users of web2py 2.24.1 and earlier are affected by this vulnerability.

An attacker could exploit this vulnerability to:

Remote Attacks: Attackers don’t need direct access to the server. They can exploit this vulnerability from anywhere in the world, giving them a wide playing field.
Command Execution: The ability to run arbitrary commands means that attackers could gain unauthorized access, steal data, install malicious software, or even cripple the server.
Compromised Data Integrity: Any application hosted on the affected web2py platform can have its data integrity compromised, leading to misinformation or data breaches.

The crux of the problem lies in how web2py handles command executions when notifySendHandler is engaged for logging. Without the necessary input validations in place, it becomes susceptible to code injections. Essentially, an attacker can insert malicious OS commands within the data being sent to the server. When this data is processed and logged, the embedded commands are executed, giving the attacker a potentially unrestricted foothold on the server.

The vendor has released a patch for this vulnerability. All users of web2py are urged to update to the latest version as soon as possible.