CVE-2016-3957 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2016-3957?

CVE-2016-3957 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on web2py applications by exploiting insecure deserialization of session cookies. Attackers can craft malicious cookies that, when deserialized using Python's pickle.loads, execute arbitrary code on the server. All web2py applications using the default session handling with versions before 2.14.2 are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on web2py applications by exploiting insecure deserialization of session cookies. Attackers can craft malicious cookies that, when deserialized using Python's pickle.loads, execute arbitrary code on the server. All web2py applications using the default session handling with versions before 2.14.2 are affected.

💻 Affected Systems

Products:

web2py

Versions: All versions before 2.14.2

Operating Systems: All operating systems running web2py

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when using secure_load function for session handling.

📦 What is this software?

Web2py by Web2py

View all CVEs affecting Web2py →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to steal sensitive data, modify application behavior, or use the server for further attacks.

🟢

If Mitigated

No impact if proper patching or workarounds are implemented to prevent insecure deserialization.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication if they can obtain or guess the encryption_key.

🏢 Internal Only: MEDIUM - Internal attackers with knowledge of the encryption_key could exploit this, but requires specific knowledge.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of the encryption_key, which may be guessable or obtainable through other means. Public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.2 and later

Vendor Advisory: https://github.com/web2py/web2py/releases/tag/R-2.14.2

Restart Required: Yes

Instructions:

1. Backup your application. 2. Update web2py to version 2.14.2 or later. 3. Restart the web2py application server. 4. Regenerate session cookies for all users.

🔧 Temporary Workarounds

Change encryption_key

all

Change the encryption_key in your application configuration to invalidate existing malicious cookies.

Edit your application's models/db.py or appconfig.ini to set a new encryption_key

Disable pickle-based session handling

all

Modify session handling to use JSON or other safe serialization instead of pickle.

Modify gluon/utils.py to replace pickle.loads with json.loads in secure_load function

🧯 If You Can't Patch

Implement WAF rules to block requests with suspicious cookie patterns
Monitor logs for unusual session activity and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check web2py version: if version < 2.14.2, you are vulnerable. Also check if secure_load function in gluon/utils.py uses pickle.loads.

Check Version:

python -c "import gluon; print(gluon.__version__)" or check web2py/VERSION file

Verify Fix Applied:

Verify web2py version is 2.14.2 or later and that secure_load function no longer uses pickle.loads for deserialization.

📡 Detection & Monitoring

Log Indicators:

Unusual session creation patterns
Multiple failed session validations
Requests with unusually large or malformed cookies

Network Indicators:

HTTP requests with base64-encoded pickle objects in cookies
Unusual outbound connections from web2py server

SIEM Query:

source="web2py" AND (cookie="*gAS*" OR cookie="*pickle*" OR cookie_length>1000)

📊 Metadata

CVE ID: CVE-2016-3957

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: February 6, 2018

Last Updated: November 21, 2024

🔗 References

https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/ Exploit,Technical Description,Third Party Advisory
https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200 Third Party Advisory
https://usn.ubuntu.com/4030-1/
https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/ Exploit,Technical Description,Third Party Advisory
https://github.com/web2py/web2py/blob/R-2.14.1/gluon/utils.py#L200 Third Party Advisory
https://usn.ubuntu.com/4030-1/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-3957, you might also want to check these: