An error when i switched from python v2.6.6 => v3.2.3

Chris Angelico rosuav at gmail.com
Fri Mar 8 22:37:11 CET 2013


On Sat, Mar 9, 2013 at 7:31 AM, Νίκος Γκρ33κ <nikos.gr33k at gmail.com> wrote:
> I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
>
> I have added extra security by following some of your advice, i wonder if youc an hack it again!
>
> Fell free to try if i'am not tiring you please!

Something to think about: There are roughly seven billion people on
this planet. You are just one of them; Steven is just one more. This
entire mailing list/newsgroup amounts to the most miniscule fraction
of the earth's population.

There is NO WAY that you are the smartest or most devious person on
Earth. Also, the three hours that you put in are *nothing* compared to
the collective time that the rest of the world will spend fiddling
with your site. Even if all of python-list/c.l.p spent a few hours
trying to get around your site's security, that's still not a huge
amount compared to the whole planet's deviousness.

You cannot build web site security on the basis of "well, I couldn't
get around it, and I tried for a few hours". I had this argument with
my boss just yesterday; I pointed out that there was a place where
user input was being put into an HTML attribute without being properly
escaped (and demonstrated that putting A into the input was
equivalent to putting A in), and he asked me how it could possibly be
exploited. My response: That does not matter. The mere fact that I
could provably show a difference WAS the problem. With that, a
determined attacker could potentially figure out a real exploit; it
does not matter that I wasn't able to do so.

You need to change your thinking about security/safety. Instead of
trying to filter/clean tainted input before passing it to a system()
call, you need to either whitelist BRUTALLY first (eg insist that the
string be one of a particular set of strings - and no, it's not
sufficient to make sure that it has only characters from a particular
set, though that's a good start), or just plain don't give tainted
strings to os.system().

What you have is a MASSIVE potential attack vector. It's quite
possibly unsalvageably dangerous.

ChrisA



More information about the Python-list mailing list