Wednesday, October 12, 2011

A Code Execution Vulnerability in Google App Engine SDK for Python

Introduction

Google App Engine is a great technology allowing web developers to develop their own web applications,test them in their internal framework, and deploy them to Google’s appspot.com domain.The Google App Engine framework allows developers to write their web site logic in Python, and offers several frameworks specially created for this. In addition, Google App Engine provides an SDK Console via web that acts as an administration console for the newly written application.This advisory lists 4 different vulnerabilities, one in admin console and three others in the Google python API, which allow a remote attacker to gain full code execution on the developer’s machine. These severe issues have been communicated to Google, and a fix was released last month on Sep 12, 2012 (in version 1.5.4).

Download PDF: http://blog.watchfire.com

No comments: