Did you read the comments below the video? The comments make it clear that the video is not demonstrating a web2py vulnerability. The creator of the video simply used web2py to create a deliberately vulnerable application. He explicitly avoided using web2py's built-in authentication mechanism, which does not have the demonstrated vulnerability. Here is a quote:
*Yes I had to go through unusual mechanisms to create that webapp ;-) I used web2py just because its a great framework.* * * *By default, are [sic] you explain, web2py does not allow you to create such vulnerable code. The demo is not meant to show vulnerabilities in web2py, but rather generic issues found in web applications and how Acunetix WVS can be used to demonstrate these vulnerabilities.* So, you are safe moving your app to web2py. In fact, web2py takes security very seriously and is designed to be highly secure by default -- see http://web2py.com/books/default/chapter/29/1#Security and http://web2py.com/books/default/chapter/29/0. Anthony On Monday, December 19, 2011 8:24:18 PM UTC-5, Detectedstealth wrote: > > http://www.youtube.com/watch?v=5ZLmRMLo6HI > > We are thinking about moving our site from pyramid to Web2py. Are there > still security holes in Web2py as found in the video? > > -- > -- > Regards, > Bruce Wade > http://ca.linkedin.com/in/brucelwade > http://www.wadecybertech.com > http://www.warplydesigned.com > http://www.fitnessfriendsfinder.com >
