lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAGUWgD_77N2dK17q7hcMv5ySwgjw8utBF1=Goa_cDNrVjeMvJw@mail.gmail.com>
Date: Thu, 22 Jul 2021 11:50:21 +0300
From: Georgi Guninski <gguninski@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] ipython3 may execute code from the current working directory

Summary: under certain circumstances, ipython3 may execute
code from the current working directory. This might be a
problem if the current working directory is not trusted.

python3 is safe.

Tested on ubuntu 20.

The following session illustrates it:

joro@...lokote:~/tests/dir2$ pwd
/home/joro/tests/dir2
joro@...lokote:~/tests/dir2$ ipython3 --version
7.13.0
joro@...lokote:~/tests/dir2$ ls ~/tests/dir1
a.py  joro-orig.py  __pycache__
joro@...lokote:~/tests/dir2$ ls ~/tests/dir2
joro.py  __pycache__
joro@...lokote:~/tests/dir2$ cat ~/tests/dir1/a.py
try:  import joro
except:  print("error in import")
joro@...lokote:~/tests/dir2$ cat ~/tests/dir2/joro.py
print("imported joro :)")
joro@...lokote:~/tests/dir2$ ipython3 ~/tests/dir1/a.py
imported joro :)
joro@...lokote:~/tests/dir2$

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists