It was found that multiple code paths in eDeploy would call eval() with unsantized user-supplied input. A remote attacker could exploit this to execute arbitrary code on the eDeploy server.
Acknowledgements: This issue was discovered by Andrew Griffiths of Red Hat Product Security.
Summary: Multiple eval() usages, leading to arbitrary code execution on servers and clients (in mitm type attacks). Unsafe directory handling situations, filename handling. Should introduce whitelisting. Solution: Comprehensive security training, with initial targets identified by github commit logs :-) upload-health.py: hw_items = eval(hw_file.read(-1)) upload.py: hw_items = eval(hw_file.read(-1)) hw_file is specified to the cgi script via $ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py $ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py respectively. allows arbitrary python code execution matcher.py: lst = eval('(' + _list + ')') need to trace the code flow for _list, but .. probably vuln.
This is now filed publicly https://github.com/enovance/edeploy/issues/233
Statement: Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.