Serious privacy leak in Python for Windows

Kevin Altis altis at semi-retired.com
Wed Jan 16 02:47:32 CET 2002


Is this just limited to the ActiveState ActivePython distribution for
Windows? If so, perhaps someone could explain what registry tweak or file
change needs to be made to simply disable PythonScript so it is not
available in Internet Explorer or unavailable as a Windows Script Host
language.

ka

"Richard M. Smith" <rms at computerbytesman.com> wrote in message
news:3C44A774.5DFCDE15 at computerbytesman.com...
> Hello,
>
> There is a privacy leak problem in many Python implementations for
> Windows which allow a malicious Web page or HTML email message to read
> the contents of file from a user's hard drive and send the contents back
> to a Web site.  The problem occurs in Windows Python implementations
> that supports Python as a scripting language for Web pages in Internet
> Explorer.
>
> The problem exists because the Python runtime library does not consider
> file read operations to be a security risk.  File read operations are
> allowed to execute on a Web page without restriction. File write
> operations, on the other hand, are blocked.
>
> For example, the following Python code on a Web page will run
> successfully:
>
>    <SCRIPT language=python>
>    import __builtin__
>    myfile = __builtin__.open("c:\\autoexec.bat")
>    document.write(str(myfile.readlines()))
>    myfile.close()
>    </SCRIPT>
>
> This particular example opens the file c:\autoexec.bat and writes the
> file contents to the Web page.  The program could easily be changed to
> send the contents of the file back to a Web site by using an HTML form,
> a Web bug, or the Microsoft XML HTTP ActiveX control.
>
> Here is a second example, that shows a directory listing of C:\ on a Web
> page:
>
>    <SCRIPT language=python>
>    import os
>    for file in os.listdir("c:\\"):
>       document.writeln(file, "<br>");
>    </SCRIPT>
>
> This directory listing example is available online to test to see if a
> particular computer system is vulnerable to the problem or not:
>
>    http://www.computerbytesman.com/privacy/pythondirdemo.htm
>
> To fix this privacy leak, the Python runtime library should block all
> file operations when Python code is being used on a Web page, not just
> file write operations.
>
> There might also be workarounds to this problem either in Microsoft's
> ActiveScripting support in IE or in the Python runtime library.
> However, I am not an expert on either technology to know what these
> work-arounds might be.  Please drop me an email if you have any
> suggestions.
>
> Richard M. Smith
> http://www.computerbytesman.com





More information about the Python-list mailing list