CVE-2016-3952 – This vulnerability in web2py allows remote atta... (How to Fix)

Q: What is the severity of CVE-2016-3952?

CVE-2016-3952 has a CVSS score of 7.8 (HIGH). This vulnerability in web2py allows remote attackers to read environment variables via direct access to the beautify example file. When combined with CVE-2016-3957, this information disclosure can be leveraged to gain administrative access and potentially execute arbitrary code. Affects web2py standalone installations before version 2.14.1.

📋 TL;DR

This vulnerability in web2py allows remote attackers to read environment variables via direct access to the beautify example file. When combined with CVE-2016-3957, this information disclosure can be leveraged to gain administrative access and potentially execute arbitrary code. Affects web2py standalone installations before version 2.14.1.

💻 Affected Systems

Products:

web2py

Versions: All versions before 2.14.1

Operating Systems: All operating systems running web2py

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects standalone installations where the examples directory is accessible. Production deployments typically remove or restrict access to examples.

📦 What is this software?

Web2py by Web2py

View all CVEs affecting Web2py →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers gain administrative access to the web2py application, leading to complete system compromise and arbitrary code execution.

🟠

Likely Case

Attackers obtain sensitive environment variables (potentially containing secrets, database credentials, or configuration data) which can be used for further attacks.

🟢

If Mitigated

Limited information disclosure with no path to privilege escalation if proper access controls are implemented.

🌐 Internet-Facing: HIGH - The vulnerability requires only a direct HTTP request to a predictable URL with no authentication.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP GET request to /examples/template_examples/beautify. Often combined with CVE-2016-3957 for full exploit chain.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.1

Vendor Advisory: https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40

Restart Required: Yes

Instructions:

1. Upgrade web2py to version 2.14.1 or later. 2. Download from https://web2py.com. 3. Replace existing installation. 4. Restart web2py service.

🔧 Temporary Workarounds

Remove examples directory

all

Delete or restrict access to the examples directory to prevent exploitation.

rm -rf /path/to/web2py/examples
chmod 000 /path/to/web2py/examples

Web server access control

all

Configure web server to block access to /examples/* paths.

# Apache: <Location "/examples"> Require all denied </Location>
# Nginx: location /examples { deny all; }

🧯 If You Can't Patch

Remove or restrict access to the examples directory using file permissions or web server configuration
Implement network segmentation to limit access to web2py instances from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[web2py-host]/examples/template_examples/beautify. If it returns environment variable data, the system is vulnerable.

Check Version:

cat /path/to/web2py/VERSION or check web2py admin interface

Verify Fix Applied:

After patching, the same URL should return 404 or access denied. Check web2py version is 2.14.1 or higher.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /examples/template_examples/beautify
Unusual access to example files

Network Indicators:

HTTP requests to beautify endpoint from unexpected sources

SIEM Query:

source="web2py" AND (url="/examples/template_examples/beautify" OR url="/examples/*")

📊 Metadata

CVE ID: CVE-2016-3952

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-255

Published: February 6, 2018

Last Updated: November 21, 2024

🔗 References

https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/ Exploit,Technical Description,Third Party Advisory
https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40 Third Party Advisory
https://usn.ubuntu.com/4030-1/
https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/ Exploit,Technical Description,Third Party Advisory
https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40 Third Party Advisory
https://usn.ubuntu.com/4030-1/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-3952, you might also want to check these: