Wooey Improper Authorization Vulnerability in API Endpoint Allowing Remote Code Execution

A vulnerability exists in Wooey versions prior to 0.13.2, specifically in the 'add_or_update_script' function within the 'wooey/api/scripts.py' file. This issue arises because the API endpoint only verifies if a user is authenticated, without checking for staff or admin privileges. As a result, any registered user can upload arbitrary Python scripts, which are then executed by Celery workers, leading to remote code execution. The vulnerability can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows any authenticated user to upload and execute arbitrary Python scripts on the server via the Wooey application. The executed scripts run with the same privileges as the Wooey service user, which could include accessing sensitive data, database credentials, and internal network services. This vulnerability has been classified as critical due to the remote code execution it enables.

Reproduction

To reproduce this vulnerability, deploy Wooey using the official Docker setup. After registering a regular user account and creating an API key, upload a malicious script through the 'add_or_update_script' API endpoint. The uploaded script can then be executed by any user, including anonymous users if the 'WOOEY_ALLOW_ANONYMOUS' setting is enabled.

Remediation

Users can upgrade to Wooey version 0.13.3rc1 or 0.14.0 to address this vulnerability. The patch has been merged into the main branch and is available for download.