Security Issue: You allow access to some files you shouldn't


#1



https://www.codecademy.com/courses/python-intermediate-en-OGNHh/1/1?curriculum_id=4f89dab3d788890003000096

It shows important info.
Im sorry I have to report it here. I checked the site, there isn't a contact info.

Permission denied.


my_file = open("/proc/version","r")
print my_file.read()
my_file.close()


#2

yes, it does show important info of a sandbox. Hm... I will look into it. I am not sure how this information will help you to escape the sand box. And you never eliminate the risk of revealing information, nmap also offers OS detection. Nothing to do about it.


#3

Allow access only to the /home/run* user. Security first, right?
Should be pretty straightfoward to do that, as I see from that you use a VM for every user in codeacademy, and each one have it's own user in the VM.
Nmap offers OS detection but it's easly circunvented. This could be a problem with one or more flaws...


#4

No, codecademy gives you more access, so you can actually do a lot in the console, but it is properly sandboxed. The codecademy is build from the ground up with security in mind, given you want to be able to code on your site.

Point is, you are not the first the indicate a security flaw, but each time we looked into it, the result was nothing. There was no way anything could be done with the information gained.

Good that you bring it to our attention, we will look into it, but i would be surprised if it yields anything. Also, you could import os, and list everything in the proc directory


#5

Well, that's good! Keep up the good work. I'm sure that you can handle it!