An error when i switched from python v2.6.6 => v3.2.3
Νίκος Γκρ33κ
nikos.gr33k at gmail.com
Fri Mar 8 15:31:53 EST 2013
Τη Παρασκευή, 8 Μαρτίου 2013 10:01:59 μ.μ. UTC+2, ο χρήστης Ian έγραψε:
> On Fri, Mar 8, 2013 at 12:19 PM, <info at cravendot.gr> wrote:
>
> > I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>
> >
>
> > I made it unhackable i believe!
>
> >
>
> > I'am testing it myself 3 hours now and find it safe!
>
> >
>
> > Please feel free to try also!
>
>
>
> Okay, done. I was still able to read your source files, and I was
>
> still able to write a file to your webserver. All I had to do was
>
> change 'htmlpage' to 'page' in the example URLs I sent you before.
>
> Validating the 'htmlpage' field does nothing if you also switch the
>
> dispatch to the 'page' field.
>
>
>
> And as far as the validation goes, from what I can see in the source,
>
> it looks like you're just checking whether the string '.html' appears
>
> in it somewhere. It's not hard at all to craft a malicious page
>
> request that meets that.
>
>
>
> As a start, try checking that the file actually exists before doing
>
> anything with it, and that it is in one of the directories used by
>
> your web server.
Thank you very much for pointing my flaws once again!
I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
I have added extra security by following some of your advice, i wonder if youc an hack it again!
Fell free to try if i'am not tiring you please!
More information about the Python-list
mailing list