Miggo Logo

CVE-2017-7235: cfscrape Improper Input Validation vulnerability

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.61711%
Published
7/13/2018
Updated
9/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cfscrapepip>= 1.6.6, <= 1.7.11.8.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation when processing JavaScript challenges. The library used js2py to execute JavaScript from scraped pages but didn't disable the pyimport feature. This allowed attackers to craft JS with pyimport statements to execute arbitrary Python code. The fix in 1.8.0 explicitly calls js2py.disable_pyimport(), confirming the vulnerable code path was in the challenge-solving logic. The solve_challenge function is the primary point where JS evaluation occurs, making it the clear vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *lou**l*r*-s*r*p* *.*.* t*rou** *.*.*. * m*li*ious w**sit* own*r *oul* *r**t * p*** t**t *x**ut*s *r*itr*ry Pyt*on *o** ***inst *ny **s*r*p* us*r w*o s*r*p*s t**t w**sit*. T*is is *ix** in *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion w**n pro**ssin* J*v*S*ript ***ll*n**s. T** li*r*ry us** js*py to *x**ut* J*v*S*ript *rom s*r*p** p***s *ut *i*n't *is**l* t** pyimport ***tur*. T*is *llow** *tt**k*rs to *r**t JS wit* pyimport st