We have recently identified an interesting code execution vulnerability in the Google App Engine SDK for Python. By combining a CSRF vulnerability in the administration web UI, with some other vulnerabilities we found in the Google python libraries, a remote hacker could gain remote code execution privileges on victim's machine. This vulnerability affects all operation systems running Google App Engine SDK for python (i.e. Windows, Mac OS, etc.).
The full advisory can be found here.
As always, Google has been very quick with fixing the issue. According to the company, the fix was provided in version 1.5.4, which was released on Sep 12th.
Comments