steve at holdenweb.com
Thu Oct 5 20:39:08 CEST 2006
and-google at doxdesk.com wrote:
> Clodoaldo Pinto Neto wrote:
>>print '<p>The submited name was "' + name + '"</p>'
> Bzzt! Script injection security hole. See cgi.escape and use it (or a
> similar function) for *all* text -> HTML output.
>>open('files/' + fileitem.filename, 'w')
> BZZZZZZT. filesystem overwriting security hole, possibly escalatable to
> code execution. clue: fileitem.filename= '../../something.py'
Technically this subclass of canonicalization error is known as a
directory traversal bug.
>>sid = cookie['sid'].value
>>session = shelve.open('/tmp/.session/sess_' + sid
> Bad filename use allows choice of non-session files, opening with
> shelve allows all sorts of pickle weirdnesses. Just use strings.
>>p = sub.Popen(str_command,
> Sure this stuff may not matter for Hello World on a test server, but if
> you're writing a tutorial you should ensure newbies know the Right Way
> to do it from the start. The proliferation of security-oblivious PHP
> tutorials is directly responsible for the disasterous amount of
> script-injection- and SQL-injection-vulnerable webapps out there -
> let's not have the same for Python.
I was teaching this week's class about SQL injection vulnerabilities
earlier today. One student mentioned estimates that *11%* of all
Internet web sites are vulnerable to such exploits. Another, a
policeman, pointed out that he'd had news just today of an injection
exploit on a major credit card company's web site. The number of credit
card numbers harvested by the attack has not yet been announced.
Credit card numbers should be encrypted in the database, of course, but
they rarely are (even by companies whose reputations imply they ought to
Yup, in the wacky world of the 21st century web if a thing's worth doing
it's worth screwing up completely ...
Steve Holden +44 150 684 7255 +1 800 494 3119
Holden Web LLC/Ltd http://www.holdenweb.com
Skype: holdenweb http://holdenweb.blogspot.com
Recent Ramblings http://del.icio.us/steve.holden
More information about the Python-list