Python-Future Arbitrary Code Execution Vulnerability via Unintended Import of test.py

A vulnerability in the Python-Future module version 1.0.0 allows arbitrary code execution through the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py if it is present in the same directory or in the sys.path. This vulnerability can be exploited by an attacker who can write files to the server, leading to the execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the affected Python-Future module is used.

Reproduction

To reproduce this vulnerability, first install the Python-Future module. Then, create a Python script that imports a future module, such as future.moves.urllib. In the same directory or in a location included in the Python path, create a file named test.py containing arbitrary code. When the Python script is executed, the future module will automatically import and execute the code in test.py, demonstrating the vulnerability.

Remediation

The Python-Future module is no longer maintained, and version 1.0.0 contains this vulnerability. Users should migrate to alternative solutions that are actively maintained and do not introduce such vulnerabilities.