CVE-2016-3953 – This vulnerability in web2py's sample web appli... (How to Fix)

Q: What is the severity of CVE-2016-3953?

CVE-2016-3953 has a CVSS score of 9.8 (CRITICAL). This vulnerability in web2py's sample web application allows remote attackers to execute arbitrary code by exploiting a hardcoded encryption key in the session.connect function. Attackers can achieve remote code execution (RCE) on affected systems. This affects web2py installations using the vulnerable sample application.

📋 TL;DR

This vulnerability in web2py's sample web application allows remote attackers to execute arbitrary code by exploiting a hardcoded encryption key in the session.connect function. Attackers can achieve remote code execution (RCE) on affected systems. This affects web2py installations using the vulnerable sample application.

💻 Affected Systems

Products:

web2py

Versions: Versions before 2.14.2

Operating Systems: All operating systems running web2py

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations that deploy the vulnerable sample application (examples folder). Production deployments without the sample app may not be vulnerable.

📦 What is this software?

Web2py by Web2py

View all CVEs affecting Web2py →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the web server, allowing data theft, lateral movement, and persistent access.

🟠

Likely Case

Remote code execution leading to web application compromise, data exfiltration, and potential server takeover.

🟢

If Mitigated

No impact if the sample application is not deployed or proper patching/workarounds are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward once the hardcoded key is known. Public exploit code and detailed analysis are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.2 and later

Vendor Advisory: https://github.com/web2py/web2py/releases/tag/R-2.14.2

Restart Required: Yes

Instructions:

1. Backup your web2py applications and data. 2. Upgrade web2py to version 2.14.2 or later. 3. Restart the web2py server. 4. Verify the fix by checking the version and ensuring the sample app is not in use.

🔧 Temporary Workarounds

Remove sample application

all

Delete or disable the vulnerable sample application from the web2py installation.

rm -rf /path/to/web2py/applications/examples

Disable session.connect with hardcoded key

all

Modify the session.py file to remove or secure the hardcoded encryption key usage.

Edit /path/to/web2py/applications/examples/models/session.py to replace hardcoded key with secure random key

🧯 If You Can't Patch

Remove or disable the examples application folder from production deployments
Implement network segmentation and firewall rules to restrict access to affected systems

🔍 How to Verify

Check if Vulnerable:

Check if web2py version is below 2.14.2 AND the examples application is present in the applications directory.

Check Version:

python web2py.py --version

Verify Fix Applied:

Verify web2py version is 2.14.2 or higher and ensure the examples application is either removed or not accessible.

📡 Detection & Monitoring

Log Indicators:

Unusual session creation patterns
Requests to examples application endpoints
Error logs showing serialization/deserialization issues

Network Indicators:

HTTP requests containing serialized session data with predictable encryption
Traffic to /examples/* paths

SIEM Query:

source="web2py" AND (uri_path="/examples/*" OR message="session.connect")

📊 Metadata

CVE ID: CVE-2016-3953

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 6, 2018

Last Updated: November 21, 2024

🔗 References

https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/ Exploit,Technical Description,Third Party Advisory
https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py Third Party Advisory
https://usn.ubuntu.com/4030-1/
https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/ Exploit,Technical Description,Third Party Advisory
https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py Third Party Advisory
https://usn.ubuntu.com/4030-1/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-3953, you might also want to check these: