New Issue

#6 Remote OS command execution

Closed

opened 5 years ago by sindre · 0 comments

The first time a user uploads a file to a task there is a new foldercreated by using the taskid. Tampering with the task id can allow for command injection when executing OS command swith the popen function in the Python os package.

sindre added this to the Required fixes milestone 5 years ago

sindre added the

bug

label 5 years ago

sindre added the

webpy

label 5 years ago

sindre added the

injection

label 5 years ago

sindre referenced this issue from a commit 5 years ago

Fix OS remote code execution Fixes #6

sindre referenced a pull request that will close this issue 5 years ago

Fix OS remote code execution #36

sindre closed 5 years ago

Sign in to join this conversation.

bug

injection

webpy

Required fixes

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.