ajaxterm/qweb.py facilitates arbitrary code execution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Thierry Carrez |
Bug Description
Ajaxterm (by way of qweb [last patched in 2006]) stores session data in a pickle in the system temp directory. It unpickles this file without validation. If an attacker can write to the temp directory (file upload would be a common case, qweb may allow this), qweb will happily unpickle and execute attack code.
The qweb framework has a bunch of other problems (irresponsible use of eval on user provided input, response splitting and various XSS shenanigans being obvious candidates), but this one seems particularly notable. I would suggest that we fix the bug by removing qweb.py (and by extension, ajaxterm) rather than trying to patch its deficiencies.
We have noVNC, which obsoletes ajaxterm pretty effectively.
CVE References
Changed in nova: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | essex-4 → 2012.1 |
Adding PTL and markmc (as it may impact soon-to-be-released 2011.3.1)
Working on checking how exploitable this is, but at first glance I'd agree that this qweb.py is pretty weak.