# Web2py 0-Day Vulnerability Research - Final Report ## Date: January 9, 2026 ## Target: web2py v3.1.1 (stock from GitHub) --- ## Executive Summary After extensive code analysis and testing, several potential vulnerability vectors have been identified in web2py v3.1.1. The most promising candidates for an unauthenticated RCE vulnerability similar to react2shell (CVE-2025-55182) are documented below. --- ## Key Findings ### 1. **Session Deserialization Vulnerability** (CRITICAL - Theoretical) **Location**: `gluon/fileutils.py:get_session()` and `gluon/storage.py:load_storage()` **Vulnerability**: Unsafe `pickle.load()` on user-influenced filename **Code Flow**: ```python # In fileutils.py:get_session() session_id = request.cookies["session_id_" + other_application].value session_filename = os.path.join( up(request.folder), other_application, "sessions", session_id ) osession = storage.load_storage(session_filename) # ← pickle.load() here! ``` **Impact**: If an attacker can: 1. Create a malicious pickled file in the sessions directory 2. Control the `session_id_admin` cookie value 3. Trigger `check_credentials()` by accessing `/appadmin` Then: **Remote Code Execution** via pickle deserialization **Current Blocker**: - Need a file write primitive to create malicious session file - OR need to poison an existing session with malicious objects - Path traversal attempts (e.g., `../../welcome/sessions/xxx`) return 303 redirects **Exploitation Path**: ``` 1. Find way to write malicious pickle to applications/*/sessions/ 2. Set cookie: session_id_admin = {path_to_malicious_file} 3. Access /welcome/appadmin/select/db 4. check_credentials() → get_session() → pickle.load() → RCE ``` --- ### 2. **Appadmin eval() RCE** (CONFIRMED - But Requires Auth) **Location**: `applications/*/controllers/appadmin.py:eval_in_global_env()` **Vulnerability**: Direct `exec()` on user input in query parameter **Code**: ```python def eval_in_global_env(text): exec('_ret=%s' % text, {}, global_env) return global_env['_ret'] def get_query(request): return eval_in_global_env(request.vars.query) # ← USER INPUT! ``` **Exploitation**: ``` GET /welcome/appadmin/select/db?query=__import__('os').popen('/readflag').read() ``` **Blocker**: Requires authentication via `check_credentials()` --- ### 3. **Spreadsheet exec() Vulnerability** (CONFIRMED - But Broken) **Location**: `gluon/contrib/spreadsheet.py:compute()` **Vulnerability**: `exec()` on cell formulas **Code**: ```python def compute(self, node): if node.value[:1] == "=" and not node.locked: exec("__value__=" + node.value[1:], {}, self.environment) ``` **Blocker**: Code uses Python 2's `xrange()` at line 537, causing NameError in Python 3 - All `/examples/spreadsheet/*` endpoints return 500 errors - Module never initializes, cannot reach vulnerable `exec()` call --- ### 4. **Potential Generic View Vulnerability** (NEEDS INVESTIGATION) **Discovery**: Generic `.json` view is enabled on examples app **Test Results**: - `/examples/default/index.json` returns 200 (empty JSON: `{}`) - Generic views can serialize controller return values **Potential Attack Vector**: - If a controller returns user-controlled objects - AND those objects have `__reduce__` methods - AND the .json serialization uses pickle (unlikely) - THEN: Deserialization RCE possible **Status**: Requires deeper investigation of generic view implementation --- ## Attack Surface Analysis ### Unauthenticated Endpoints Found: 1. `/examples/default/index` (200) 2. `/examples/default/index.json` (200) 3. `/examples/default/download` (200) 4. `/examples/ajax_examples/index` (200) 5. `/examples/ajax_examples/data` (200) 6. `/examples/soap_examples/call/soap?WSDL` (200) ### Deserialization Points Identified: 1. **Session handling** - `pickle.load()` in `storage.load_storage()` 2. **Cache system** - `pickle.load()` in `cache.py` 3. **Redis cache** - `pickle.loads()` in `contrib/redis_cache.py` (not used) 4. **Spreadsheet** - `pickle.loads()` in `contrib/spreadsheet.py` (broken) ### Code Execution Points Identified: 1. **appadmin.py** - `exec()` in `eval_in_global_env()` (requires auth) 2. **spreadsheet.py** - `exec()` in `compute()` (broken in Python 3) 3. **restricted.py** - `exec()` for compiled templates (not user-accessible) --- ## Similarity to React2Shell (CVE-2025-55182) **React2Shell Pattern**: - Unauthenticated RCE - Unsafe deserialization in server framework - User sends crafted payload → server deserializes → gadget chain → RCE **Web2py Candidates**: 1. **Session deserialization**: Similar pattern, but requires file write primitive 2. **Appadmin eval**: Similar RCE, but requires authentication 3. **Spreadsheet exec**: Similar RCE, but broken in Python 3 --- ## Recommended Next Steps ### For Session Deserialization Path: 1. ✅ Confirm `pickle.load()` is used on session files 2. ✅ Confirm cookie controls filename 3. ⏳ Find file write primitive (upload, cache poisoning, logs) 4. ⏳ Test path traversal bypass techniques 5. ⏳ Investigate if session data can be poisoned with malicious objects ### For Generic View Path: 1. ⏳ Analyze generic view implementation in `compileapp.py` 2. ⏳ Check if any serialization uses pickle 3. ⏳ Find controller that returns user-controlled objects ### For Auth Bypass Path: 1. ⏳ Deep dive into `check_credentials()` implementation 2. ⏳ Look for session fixation vulnerabilities 3. ⏳ Test for time-based auth bypass (expired sessions) 4. ⏳ Check if admin password can be brute-forced --- ## Proof of Concept Scripts Created 1. `test_session_deserialization.py` - Tests session path traversal 2. `exploit_session_deserialization.py` - Full exploitation attempt 3. `scan_unauthenticated_endpoints.py` - Endpoint discovery 4. `test_appadmin_access.py` - Auth bypass testing 5. `exploit_appadmin_rce.py` - RCE via appadmin (requires auth) --- ## Conclusion **Most Promising Vector**: Session Deserialization The session deserialization vulnerability in `get_session()` is the closest match to react2shell's pattern: - Uses unsafe `pickle.load()` - Filename partially controlled by cookie - Would provide unauthenticated RCE if exploitable **Challenge**: Need to find a way to write a malicious pickled file to the sessions directory, or find a path traversal bypass that works. **Alternative**: The appadmin `eval()` RCE is confirmed and trivial to exploit, but requires bypassing authentication first. --- ## Files Modified/Created ### Analysis Scripts: - `test_session_deserialization.py` - `exploit_session_deserialization.py` - `scan_unauthenticated_endpoints.py` - `test_download.py` - `test_json_view.py` - `test_ajax_data.py` ### Documentation: - `RESEARCH_NOTES.md` (existing) - `STATUS.md` (existing) - `VULNERABILITY_SUMMARY.md` (existing) - This report --- ## Recommendations for Further Research 1. **Session Poisoning**: Investigate if any endpoint stores user data in session without sanitization 2. **Cache Poisoning**: Check if cache keys can be manipulated to write to sessions directory 3. **File Upload**: Look for hidden upload functionality that writes to predictable locations 4. **Log Injection**: Check if logs can be manipulated to create valid pickle files 5. **Admin Session Forgery**: Deep dive into session generation to forge valid admin sessions --- *Report generated by AI Security Researcher* *Target: web2py v3.1.1-stable+timestamp.2025.12.19.23.27.05*