mcp

CRITICAL: Multiple severe vulnerabilities identified: 1. Command Injection: The `bulkupload.py` script uses `os.system()` with user-controlled `git_path` and `dir_path` for `git clone` and `cp` commands, leading to arbitrary command execution. 2. Plaintext Password Storage: The README explicitly states that 'passwords are transmitted in plaintext' during user account creation and 'device login info is not secured' for device profiles. This means credentials are stored unencrypted in the database. 3. Flash Dependency: The README states 'Browser with latest flash plugin (tested with google chrome)' is a prerequisite. Flash is End-of-Life and notoriously insecure, posing a significant attack surface. 4. Weak NetConf Security: `ncclient.manager.connect` is configured with `hostkey_verify=False` in `pyscript.py` and `runner.py`, making NetConf connections vulnerable to Man-in-the-Middle (MITM) attacks. 5. Dangerous `eval()` Usage: `runner.py` uses `eval('requests.' + method.lower())`. While `method` appears constrained by `rest_ops`, using `eval` is generally a high-risk practice and can be exploited if input sanitization is insufficient. 6. Deprecated Python Version: The project explicitly requires Python 2.7, which is End-of-Life and no longer receives security updates, exposing the application to known vulnerabilities. 7. Development Server in Shared Environment: The `start.sh` script runs `python manage.py runserver`, which is Django's development server, not suitable or secure for production or shared server environments, as indicated in the README for shared server setup.