Skip to content

aeyesec/CVE-2023-22432

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2023-22432

PoC verification of web2py vulnerability (CVE-2023-22432)

A vulnerability (CVE-2023-22432) in web2py was disclosed on Jan 31, 2023 (US time). This article describes our discussion of this vulnerability and the results of our verification.

Vulnerability Summary

This vulnerability is an open redirect vulnerability in web2py that allows an arbitrary URL to be specified as the callback destination URL in the admin page URL. Countermeasures against open redirects were originally implemented, but this vulnerability is reproduced by applying a special bypass method to the URL. This can lead you to malicious sites.

Affected Versions

  • web2py prior to 2.23.1

Countermeasures

  • Update to web2py 2.23.1 or higher.

Vulnerability History

An open redirect vulnerability (CVE-2022-33146) was discovered in web2py in 2022, and we wondered if there were other vulnerabilities like CVE-2022-33146, so we checked the source code of web2py, and we found the way to bypass open redirect prevention. Takuto Yoshikai (the author) of Aeye Security Lab reported this to the IPA and web2py development team.

Verification environment

  • M1 Mac
  • Python3.8
  • web2py 2.22.5

Verification

Run build.sh in this repository. Then web2py will start.

bash build.sh

Access to http://localhost:8000/admin/default/index/?send=//example.com

Enter password "password123", and click Login.

It didn't redirect to example.com, so open redirect prevention worked well.

Access to http://localhost:8000/admin/default/index/?send=\/\/example.com

The payload is \/\/example.com.

Enter password "password123", and click Login.

It redirected to example.com, so open redirect prevention didn't work correctly.

Summary

After review and verification, we have confirmed that it is possible to direct the administrator to a malicious web site by crafting the admin page URL. We recommend updating the system as soon as possible.

Reference Information

About

PoC for CVE-2023-22432 (web2py)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages