Python cross-site scripting exploits?

Erlend J. Leiknes nookieNO_SP_AM at online.no
Thu May 23 08:53:38 EDT 2002 

The python cgi lib doesnt offer any security at all.
The url entered by the client is the one that will end up in your cgi
script, and you will have to perform your own security checks on it, which I
think is a good thing (Who want your programming language to halt your work
in a windoze way?)

from www.python.org online docs
(http://www.python.org/doc/current/lib/cgi-security.html)
11.2.6 Caring about security
There's one important rule: if you invoke an external program (via the
os.system() or os.popen() functions. or others with similar functionality),
make very sure you don't pass arbitrary strings received from the client to
the shell. This is a well-known security hole whereby clever hackers
anywhere on the Web can exploit a gullible CGI script to invoke arbitrary
shell commands. Even parts of the URL or field names cannot be trusted,
since the request doesn't have to come from your form!
    To be on the safe side, if you must pass a string gotten from a form to
a shell command, you should make sure the string contains only alphanumeric
characters, dashes, underscores, and periods.

You will probably find some security checks laying around (such as dotdot
security checks)

Erlend J. Leiknes



"Robin Becker" <robin at jessikat.fsnet.co.uk> wrote in message
news:DuIBcWA5WK78Ewyc at jessikat.fsnet.co.uk...
> A while back I asked if there were any obvious vulnerabilities in Python
> cgi scripting. At the time it seemed no-one would respond positively,
> but I see that recently both Mailman and viewCVS have been exploited.
>
> mailman has compile stuff, but isn't viewCVS pure Python?
>
> The viewCVS exploit is detailed here
>
>         http://lwn.net/2002/0523/a/viewcvs.php3
>
> Can some wizard kindly explain exactly how the client CGI is made
> responsible for security defence against bad URLs. It seems to me that
> the client browser should be responsible, but apparently not.
>
> The alleged fix seems to involve more complete argument checking, is
> that required for any such defence? What should the request response be?
> --
> Robin Becker

More information about the Python-list mailing list