J
Joel Goldstick
The content type situation is discussed here
http://stackoverflow.com/questions/9145517/executing-a-python-script-in-apache2
The content type situation is discussed here
http://stackoverflow.com/questions/9145517/executing-a-python-script-in-apache2
J
Joel Goldstick
So, I see you fixed the problem. How?
Í
Íßêïò Ãêñ33ê
Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 9:36:33 ì.ì. UTC+2, ï ÷ñÞóôçò Joel Goldstick Ýãñáøå:
Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:
os.system( 'python %s > %s' % (htmlpage, temp) )
f = open( temp )
htmldata = f.read()
htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )
Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:
os.system( 'python %s > %s' % (htmlpage, temp) )
f = open( temp )
htmldata = f.read()
htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )
Í
Íßêïò Ãêñ33ê
Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 9:36:33 ì.ì. UTC+2, ï ÷ñÞóôçò Joel Goldstick Ýãñáøå:
Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:
os.system( 'python %s > %s' % (htmlpage, temp) )
f = open( temp )
htmldata = f.read()
htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )
Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:
os.system( 'python %s > %s' % (htmlpage, temp) )
f = open( temp )
htmldata = f.read()
htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )
I
Ian Kelly
If htmlpage is being pulled from the HTTP request as I think it is,
then you have a code injection vulnerability here. Think what could
happen if htmlpage were something like this:
-c ''; rm -rf /; oops.py
Í
Íßêïò Ãêñ33ê
Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 10:15:11 ì.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:
Yes its being pulled by http request!
But please try to do it, i dont think it will work!
Yes its being pulled by http request!
But please try to do it, i dont think it will work!
Í
Íßêïò Ãêñ33ê
Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 10:15:11 ì.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:
Yes its being pulled by http request!
But please try to do it, i dont think it will work!
Yes its being pulled by http request!
But please try to do it, i dont think it will work!
V
Vito De Tullio
Îίκος ΓκÏ33κ said:
try yourself and tell us what happened
Í
Íßêïò Ãêñ33ê
Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
What command should i issue to try code injection?
someone tried it yesterday but it didnt work.
What command should i issue to try code injection?
someone tried it yesterday but it didnt work.
Í
Íßêïò Ãêñ33ê
Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
What command should i issue to try code injection?
someone tried it yesterday but it didnt work.
What command should i issue to try code injection?
someone tried it yesterday but it didnt work.
Í
Íßêïò Ãêñ33ê
Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
Someone with ip of:
dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18
as my cgi script tells me.
i think it was Chris Angelico
Someone with ip of:
dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18
as my cgi script tells me.
i think it was Chris Angelico
Í
Íßêïò Ãêñ33ê
Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
Someone with ip of:
dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18
as my cgi script tells me.
i think it was Chris Angelico
Someone with ip of:
dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18
as my cgi script tells me.
i think it was Chris Angelico
C
Chris Angelico
Someone with ip of:
dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18
as my cgi script tells me.
i think it was Chris Angelico
Nope, not me. As you'll be able to confirm in any number of ways, I'm
in Australia. Also, I use Chrome. That's someone else!
As a general rule, don't reveal people's IP addresses without
permission or good reason; it's unnecessarily breaking privacy.
ChrisA
Í
Íßêïò Ãêñ33ê
I must thank the tester of my webisites's security!
He hacked it nicely and easily through tampering with 'htmlpage' variable's value!
Now i'am validating htmlpage's input value and i don't beleive its hackable any more!
Please feel free to try whoever want to!
Thnk you all for your patience with me and support provided!
He hacked it nicely and easily through tampering with 'htmlpage' variable's value!
Now i'am validating htmlpage's input value and i don't beleive its hackable any more!
Please feel free to try whoever want to!
Thnk you all for your patience with me and support provided!
Í
Íßêïò Ãêñ33ê
I must thank the tester of my webisites's security!
He hacked it nicely and easily through tampering with 'htmlpage' variable's value!
Now i'am validating htmlpage's input value and i don't beleive its hackable any more!
Please feel free to try whoever want to!
Thnk you all for your patience with me and support provided!
He hacked it nicely and easily through tampering with 'htmlpage' variable's value!
Now i'am validating htmlpage's input value and i don't beleive its hackable any more!
Please feel free to try whoever want to!
Thnk you all for your patience with me and support provided!
S
Steven D'Aprano
That's not very nice.
Please don't tell the newbies to destroy their system, no matter how
tempting it might be.
I
info
Τη ΠαÏασκευή, 8 ΜαÏτίου 2013 8:54:15 μ.μ. UTC+2, ο χÏήστης Steven D'Aprano ÎγÏαψε:
I dare anyone who wants to to mess with 'htmlpage' variable value's now!
I made it unhackable i believe!
I'am testing it myself 3 hours now and find it safe!
Please feel free to try also!
I dare anyone who wants to to mess with 'htmlpage' variable value's now!
I made it unhackable i believe!
I'am testing it myself 3 hours now and find it safe!
Please feel free to try also!
I
Ian Kelly
Okay, done. I was still able to read your source files, and I was
still able to write a file to your webserver. All I had to do was
change 'htmlpage' to 'page' in the example URLs I sent you before.
Validating the 'htmlpage' field does nothing if you also switch the
dispatch to the 'page' field.
And as far as the validation goes, from what I can see in the source,
it looks like you're just checking whether the string '.html' appears
in it somewhere. It's not hard at all to craft a malicious page
request that meets that.
As a start, try checking that the file actually exists before doing
anything with it, and that it is in one of the directories used by
your web server.
I
Ian Kelly
os.path.isfile will help with the former, while os.path.realname and
os.path.dirname will help with the latter.
Í
Íßêïò Ãêñ33ê
Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 10:01:59 ì.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:
Thank you very much for pointing my flaws once again!
I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
I have added extra security by following some of your advice, i wonder if youc an hack it again!
Fell free to try if i'am not tiring you please!
Thank you very much for pointing my flaws once again!
I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
I have added extra security by following some of your advice, i wonder if youc an hack it again!
Fell free to try if i'am not tiring you please!