2018-01-16

apps using #Python may be vulnerable

1.2: news.cyb/sec/lang/python/undocumented methods:
Liam Tung 2017:
IOActive researcher Fernando Arnaboldi
revealed Python has "undocumented methods
and local environment variables
that can be used for OS command execution".
ref:
blackhat presentation:
Exposing Hidden Exploitable Behaviors in Programming Languages
Using Differential Fuzzing:
A differential fuzzing framework was created to detect
dangerous and unusual behaviors in
similar software implementations.
1.16: the paper:
. some Python commands are undocumented because
they are for deprecated functions;
meaning don't use the functions in new code,
but for backward compatiblity we are
keeping the function in place undocumented.
. documentation can be there to warn you
that a function doesn't check its inputs,
so you shouldn't feed it data from an untrusted source.

No comments: