When creating a password hash (e.g. when authenticating the user-supplied
password) webapp2 uses the following code snippet:
method = getattr(hashlib, method, None)
if not method:
return None
if salt:
h = hmac.new(webapp2._to_utf8(salt), password, method)
else:
h = method(password)
Parameter 'method' comes from user password hash stored in NDB. If (for
whatever reason) the password hash from NDB comes from untrusted source, the
attacker can abuse it to plant e.g. the following password hash:
anything$__delattr__$
And use e.g. 'sha1' as the password. This will effectively be:
method = getattr(hashlib, '__delattr__', None)
method('sha1')
removing the hashlib.sha1 function, breaking the cookie signature verification
and authentication attempts for all other users until application restarts.
Before using getattr(hashlib()) one should verify that the method:
- is not in ['new', 'algorithms']
- does not start with "_"
Original issue reported on code.google.com by kkotowicz on 16 Dec 2013 at 11:52
Original issue reported on code.google.com by
kkotowicz
on 16 Dec 2013 at 11:52