CERTCC / VINCE

An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed. Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC.

The relevant code update

VINCE/vinny/models.py

Lines 238 to 242 in 213dcd9

    
           class RestrictedUnpickler(pickle.Unpickler): 
        
               def find_class(self, module, name): 
        
                   """ If find_class gets called then return error """ 
        
                   raise pickle.UnpicklingError("global '%s.%s' is forbidden" % 
        
                                                (module, name))

Resolved with #62

	class RestrictedUnpickler(pickle.Unpickler):
	def find_class(self, module, name):
	""" If find_class gets called then return error """
	raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
	(module, name))

Remote Code Injection vulnerability using Python pickle object