.. _index-unchecked_file_deletion: Index Vulnerability: Unchecked File Deletion ============================================ Improper checking of ACLs would have allowed any authenticated user to delete any release file hosted on the Package Index by supplying its md5 to the ``:files`` action in `the pypi-legacy `_ code base. * Disclosure date: **2017-10-12** (Reported via security policy on `pypi.org `_) * Disclosed by: `Max Justicz `_ Fixed In -------- * PyPI "Legacy Codebase" (2017-10-12) fixed by `commit 18200fa `_ (2017-10-12) Audit ----- After mitigating the attack vector and deploying it, the responding Package Index maintainer worked to verify that no release files had been improperly removed using this exploit. The Package Index maintains an audit log in the form of a "Journal" for all actions initiated. It was determined that exploitation of this attack vector would still remove files via the `existing interface `_ an audit log would still be `written `_. Using this information, we were able to reconstruct the users with access to legitimately remove release files at point in time of each file removal `using the audit log `_. The output of this script were used to determine that no malicious actors exploited this vulnerability. All flagged journal entries were related to one of the following scenarios: * Username updates that were not properly updated in the Journal * Administrator intervention to remove packages Timeline -------- Timeline using the disclosure date **2017-10-12** as reference: * 2017-10-12: Issue reported by `Max Justicz `_ following guidelines in security policy on `pypi.org `_ * 2017-10-12 (**+0days**): Report investigated by `Ernest W. Durbin III `_ and determined to be exploitable * 2017-10-12 (**+0days**): Fix implemented and deployed in `commit 18200fa `_ * 2017-10-12 (**+0days**): The audit journals maintained by PyPI were used to reconstruct the full history of file removals to determine that no malicious deletions were performed.