Has this been Fixed?

[Bruce Wade]

http://www.youtube.com/watch?v=5ZLmRMLo6HI

We are thinking about moving our site from pyramid to Web2py. Are there still security holes in Web2py as found in the video? 

--
--
Regards,
Bruce Wade
http://ca.linkedin.com/in/brucelwade
http://www.wadecybertech.com
http://www.warplydesigned.com
http://www.fitnessfriendsfinder.com

[Anthony]

Did you read the comments below the video? The comments make it clear that the video is not demonstrating a web2py vulnerability. The creator of the video simply used web2py to create a deliberately vulnerable application. He explicitly avoided using web2py's built-in authentication mechanism, which does not have the demonstrated vulnerability. Here is a quote:

Yes I had to go through unusual mechanisms to create that webapp ;-) I used web2py just because its a great framework.

By default, are [sic] you explain, web2py does not allow you to create such vulnerable code. The demo is not meant to show vulnerabilities in web2py, but rather generic issues found in web applications and how Acunetix WVS can be used to demonstrate these vulnerabilities.

So, you are safe moving your app to web2py. In fact, web2py takes security very seriously and is designed to be highly secure by default -- see http://web2py.com/books/default/chapter/29/1#Security and http://web2py.com/books/default/chapter/29/0.

Anthony

[Bruce Wade]

Honestly I didn't read the comments, I just seen that video shortly before heading home.

I have been using web2py for a while, just had to make sure you never know right?

Anyway's thanks for clearing things up.

--

Regards,

Bruce