An error when i switched from python v2.6.6 => v3.2.3

[Íßêïò Ãêñ33ê]

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 10:01:59 ì.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:

Okay, done. I was still able to read your source files, and I was

still able to write a file to your webserver. All I had to do was

change 'htmlpage' to 'page' in the example URLs I sent you before.

Validating the 'htmlpage' field does nothing if you also switch the

dispatch to the 'page' field.



And as far as the validation goes, from what I can see in the source,

it looks like you're just checking whether the string '.html' appears

in it somewhere. It's not hard at all to craft a malicious page

request that meets that.



As a start, try checking that the file actually exists before doing

anything with it, and that it is in one of the directories used by

your web server.

Thank you very much for pointing my flaws once again!

I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!

I have added extra security by following some of your advice, i wonder if youc an hack it again!

Fell free to try if i'am not tiring you please!

 

[nagia.retsina]

Τη ΠαÏασκευή, 8 ΜαÏτίου 2013 8:54:15 μ.μ. UTC+2, ο χÏήστης Steven D'Aprano έγÏαψε:

Please don't tell the newbies to destroy their system, no matter how
tempting it might be.

What that "-c ''" options i keep seeing in the attempts to pass bogus info in my 'page' variable?

And hows oops.py relevant? Such file doesnt nto exist in my webssever.

 

[Chris Angelico]

I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!

I have added extra security by following some of your advice, i wonder ifyouc an hack it again!

Fell free to try if i'am not tiring you please!

Something to think about: There are roughly seven billion people on
this planet. You are just one of them; Steven is just one more. This
entire mailing list/newsgroup amounts to the most miniscule fraction
of the earth's population.

There is NO WAY that you are the smartest or most devious person on
Earth. Also, the three hours that you put in are *nothing* compared to
the collective time that the rest of the world will spend fiddling
with your site. Even if all of python-list/c.l.p spent a few hours
trying to get around your site's security, that's still not a huge
amount compared to the whole planet's deviousness.

You cannot build web site security on the basis of "well, I couldn't
get around it, and I tried for a few hours". I had this argument with
my boss just yesterday; I pointed out that there was a place where
user input was being put into an HTML attribute without being properly
escaped (and demonstrated that putting A into the input was
equivalent to putting A in), and he asked me how it could possibly be
exploited. My response: That does not matter. The mere fact that I
could provably show a difference WAS the problem. With that, a
determined attacker could potentially figure out a real exploit; it
does not matter that I wasn't able to do so.

You need to change your thinking about security/safety. Instead of
trying to filter/clean tainted input before passing it to a system()
call, you need to either whitelist BRUTALLY first (eg insist that the
string be one of a particular set of strings - and no, it's not
sufficient to make sure that it has only characters from a particular
set, though that's a good start), or just plain don't give tainted
strings to os.system().

What you have is a MASSIVE potential attack vector. It's quite
possibly unsalvageably dangerous.

ChrisA

 

[emile]

Τη ΠαÏασκευή, 8 ΜαÏτίου 2013 8:54:15 μ.μ. UTC+2, ο χÏήστης Steven D'Aprano έγÏαψε:



What that "-c ''" options i keep seeing in the attempts to pass bogus info in my 'page' variable?

And hows oops.py relevant? Such file doesnt nto exist in my webssever.

You're certainly right about that -- particularly by the time it's
attempted.

Emile

 

[Ian Kelly]

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 8:54:15 ì.ì. UTC+2, ï ÷ñÞóôçò Steven D'Aprano Ýãñáøå:



What that "-c ''" options i keep seeing in the attempts to pass bogus info in my 'page' variable?

And hows oops.py relevant? Such file doesnt nto exist in my webssever.

The command that gets run is "python %s > %s", where the page variable
is substituted in for the first %s. If you perform that substitution,
you will get:

python -c ''; rm -rf /; oops.py > /path/to/some/temp/file

So the -c is an option to Python. It means that instead of reading a
script, Python should run commands passed on the command line in the
next argument. That's the ''. It's empty, so what this instructs
Python is to do nothing at all.

The second command in this shell script is "rm -rf /". I assume you
know what that would do.

The third command is "oops.py > /path/to/some/tempfile". The fact
that oops.py does not exist is not important, because the attacker
does not care what this command does. The payload of the attack was
already delivered in the second command. The only reason for this is
because it ends in .py, which is what the web server is looking for
when deciding whether to run a script. The word "oops" here is just
for levity.

 

[Ian Kelly]

Thank you very much for pointing my flaws once again!

I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!

I have added extra security by following some of your advice, i wonder ifyouc an hack it again!

Fell free to try if i'am not tiring you please!

That seems to be better, although I want to stress that I did not try
very hard. It's possible that somebody with more patience and
imagination than myself might still find a way to fool your
validation.

 

[nagia.retsina]

Τη Σάββατο, 9 ΜαÏτίου 2013 2:26:56 Ï€.μ. UTC+2, ο χÏήστης Ian έγÏαψε:

That seems to be better, although I want to stress that I did not try

very hard. It's possible that somebody with more patience and

imagination than myself might still find a way to fool your

validation.

I'am glad the script has been made more secure after of course you enilghten me and i followed your advice. Here is what i did:


# detect how 'index.html' is called and validate values of 'htmlpage' & 'page'
if page and os.path.isfile( '/home/nikos/www/cgi-bin/' + page ):
page = page
elif form.getvalue('show') and os.path.isfile( htmlpage ):
page = htmlpage.replace( '/home/nikos/public_html/', '' )
else:
page = 'index.html'

Now that you have the if structure's logic can you *still* fool the script?

 

[nagia.retsina]

Τη Σάββατο, 9 ΜαÏτίου 2013 2:26:56 Ï€.μ. UTC+2, ο χÏήστης Ian έγÏαψε:

That seems to be better, although I want to stress that I did not try

very hard. It's possible that somebody with more patience and

imagination than myself might still find a way to fool your

validation.

I'am glad the script has been made more secure after of course you enilghten me and i followed your advice. Here is what i did:


# detect how 'index.html' is called and validate values of 'htmlpage' & 'page'
if page and os.path.isfile( '/home/nikos/www/cgi-bin/' + page ):
page = page
elif form.getvalue('show') and os.path.isfile( htmlpage ):
page = htmlpage.replace( '/home/nikos/public_html/', '' )
else:
page = 'index.html'

Now that you have the if structure's logic can you *still* fool the script?

 

[Íßêïò Ãêñ33ê]

Ôç ÓÜââáôï, 9 Ìáñôßïõ 2013 2:18:42 ð.ì.UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:

So the -c is an option to Python. It means that instead of reading a
script, Python should run commands passed on the command line in the
next argument. That's the ''. It's empty, so what this instructs
Python is to do nothing at all.
The second command in this shell script is "rm -rf /". I assume you
know what that would do.

Thank you for explaining but i'am not sure i ahve understand this part.
Can you please elaborate more?

 

[Íßêïò Ãêñ33ê]

Ôç ÓÜââáôï, 9 Ìáñôßïõ 2013 2:18:42 ð.ì.UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:

So the -c is an option to Python. It means that instead of reading a
script, Python should run commands passed on the command line in the
next argument. That's the ''. It's empty, so what this instructs
Python is to do nothing at all.
The second command in this shell script is "rm -rf /". I assume you
know what that would do.

Thank you for explaining but i'am not sure i ahve understand this part.
Can you please elaborate more?

 

[Íßêïò Ãêñ33ê]

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 11:37:11 ì.ì. UTC+2, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

There is NO WAY that you are the smartest or most devious person on
Earth. Also, the three hours that you put in are *nothing* compared to
the collective time that the rest of the world will spend fiddling
with your site. Even if all of python-list/c.l.p spent a few hours
trying to get around your site's security, that's still not a huge
amount compared to the whole planet's deviousness.

I agree with you but i wonder why the world would want to dedicate hours for fiddling with my script? Why anyone should mess with my website http://superhost.gr ?

 

[Íßêïò Ãêñ33ê]

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 11:37:11 ì.ì. UTC+2, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

There is NO WAY that you are the smartest or most devious person on
Earth. Also, the three hours that you put in are *nothing* compared to
the collective time that the rest of the world will spend fiddling
with your site. Even if all of python-list/c.l.p spent a few hours
trying to get around your site's security, that's still not a huge
amount compared to the whole planet's deviousness.

I agree with you but i wonder why the world would want to dedicate hours for fiddling with my script? Why anyone should mess with my website http://superhost.gr ?

 

[Mark Lawrence]

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 11:37:11 ì.ì. UTC+2, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:


I agree with you but i wonder why the world would want to dedicate hours for fiddling with my script? Why anyone should mess with my website http://superhost.gr ?

Because hackers love hacking? But I suspect they might give you a miss
as too easy, preferring to take on the theoretically challenging places
such as UK MOD, Pentagon, GCHQ, NSA, MI5 and MI6. Note however that
it's difficult to hack some of these people as of course they don't
actually exist

 

[Mark Lawrence]

Ôç ÓÜââáôï, 9 Ìáñôßïõ 2013 2:18:42 ð.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:


Thank you for explaining but i'am not sure i ahve understand this part.
Can you please elaborate more?

I confess to knowing very little about *nix commands, but I believe the
second command referenced above does something like delete everything on
your hard drive. Not that this is a problem as your improved security
ensures that this can't happen, doesn't it?

 

[Steven D'Aprano]

I agree with you but i wonder why the world would want to dedicate hours
for fiddling with my script? Why anyone should mess with my website
http://superhost.gr ?

What makes you think it would be hours? For somebody who knows what they
are doing, it is probably more like minutes.

And as for why...

- because they think it's funny;

- because they get pleasure from vandalising other people's property;

- to prove that they can do it;

- to punish you for being naive and foolish;

- to get control of your webserver, so they can store files on it without
your knowledge;

- or launch attacks on other people's websites;

- or to encrypt your data and charge you money to decrypt it;

- or some other reason that I cannot think of.

 

[Íßêïò Ãêñ33ê]

Ôç ÓÜââáôï, 9 Ìáñôßïõ 2013 7:05:08 ð.ì.UTC+2, ï ÷ñÞóôçò Steven D'Aprano Ýãñáøå:

What makes you think it would be hours? For somebody who knows what they

are doing, it is probably more like minutes.



And as for why...



- because they think it's funny;



- because they get pleasure from vandalising other people's property;



- to prove that they can do it;



- to punish you for being naive and foolish;



- to get control of your webserver, so they can store files on it without

your knowledge;



- or launch attacks on other people's websites;



- or to encrypt your data and charge you money to decrypt it;



- or some other reason that I cannot think of.

I see, didn think of those reason apart form the fact that they cna prove they can do it!

But as i have it now more security improved they can't

 

[Mark Lawrence]

Ôç ÓÜââáôï, 9 Ìáñôßïõ 2013 7:05:08 ð.ì. UTC+2, ï ÷ñÞóôçò Steven D'Aprano Ýãñáøå:

I see, didn think of those reason apart form the fact that they cna prove they can do it!

But as i have it now more security improved they can't

Red flag to a bull.

Would you also please read section 2 of this
http://wiki.python.org/moin/GoogleGroupsPython to prevent all of your
posts having <quote>an excessive number of quoted blank lines.</quote>

 

[Íßêïò Ãêñ33ê]

Is there a way to see anserws to my posts via ThunderBird that doesn't hve this formatting issue?

 

[Íßêïò Ãêñ33ê]

Is there a way to see anserws to my posts via ThunderBird that doesn't hve this formatting issue?

 

[rusi]

Is there a way to see anserws to my posts via ThunderBird that doesn't hve this formatting issue?

I had posted a suggestion to get back to 'old google groups' here.
Usually if you (can) switch to the old these problems vanish

http://mail.python.org/pipermail/python-list/2012-October/633460.html

[According to Alex it seems you may have to actively select the new
before you can select the old]