An error when i switched from python v2.6.6 => v3.2.3

Νίκος Γκρ33κ nikos.gr33k at gmail.com
Fri Mar 8 21:31:53 CET 2013


Τη Παρασκευή, 8 Μαρτίου 2013 10:01:59 μ.μ. UTC+2, ο χρήστης Ian έγραψε:
> On Fri, Mar 8, 2013 at 12:19 PM,  <info at cravendot.gr> wrote:
> 
> > I dare anyone who wants to to mess with 'htmlpage' variable value's now!
> 
> >
> 
> > I made it unhackable i believe!
> 
> >
> 
> > I'am testing it myself 3 hours now and find it safe!
> 
> >
> 
> > Please feel free to try also!
> 
> 
> 
> Okay, done.  I was still able to read your source files, and I was
> 
> still able to write a file to your webserver.  All I had to do was
> 
> change 'htmlpage' to 'page' in the example URLs I sent you before.
> 
> Validating the 'htmlpage' field does nothing if you also switch the
> 
> dispatch to the 'page' field.
> 
> 
> 
> And as far as the validation goes, from what I can see in the source,
> 
> it looks like you're just checking whether the string '.html' appears
> 
> in it somewhere.  It's not hard at all to craft a malicious page
> 
> request that meets that.
> 
> 
> 
> As a start, try checking that the file actually exists before doing
> 
> anything with it, and that it is in one of the directories used by
> 
> your web server.

Thank you very much for pointing my flaws once again!

I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!

I have added extra security by following some of your advice, i wonder if youc an hack it again!

Fell free to try if i'am not tiring you please!



More information about the Python-list mailing list