search

trampgeek / jobe

jobe is a server that runs small programming jobs in a variety of programming languages
MIT License
111 stars 80 forks source link

Security problem with Jobe #50

Closed thopd88 closed 3 years ago

thopd88 commented 3 years ago

Language selected: Python3 source code:

a = eval(input())
print(a)

payload: __import__('os').popen('ls /').read()

This will show up root directory

trampgeek commented 3 years ago

This is not a security flaw. Jobs running on the Jobe server have roughly the same rights as any non-privileged user would have who is logged on to the server, except that they have no home directory and have limits on their use of CPU time, memory and disk output. Read-only access to the root directory isn't a problem.