Crunchy security advisory

  • Thread starter =?iso-8859-1?B?QW5kcuk=?=
  • Start date
?

=?iso-8859-1?B?QW5kcuk=?=

A security hole has been uncovered in Crunchy (version 0.9.1.1 and
earlier).

Anyone using Crunchy to browse web tutorials should only visit sites
that are trustworthy.

We are working hard at fixing the hole; a new release addressing the
problems that have
been found should be forthcoming shortly.

André


-----

The security problem is as follows:

In theory, a web page could contain some javascript code (or link to
such code) that would bypass Crunchy's filter to be executed by the
browser. If that is the case, the javascript code could be designed
to send some
Python code directly to the Python backend (i.e. without the Crunchy
user pressing a button, or having the chance to view the code to be
executed) so that it is executed. Such code could result in deleting
the entire files or installing some virus on the user's machine.

At the moment, the risk is pretty low. Crunchy already removes all
obvious (and most non-obvious) javascript code, links to such code,
etc. The holes found require the use of some uncommon combination of
html and css code, with a particular knowledge of Firefox.

(Note that browsers other than Firefox are likely to be even more
vulnerable).

Furthermore, Crunchy is not that well known that it is likely to
be a target by a cracker that would 1) write a "tutorial" interesting
enough to lure current Crunchy users (who, at this point, are
likely to include only advanced Python users) and 2) write some fairly
involved
javascript code to bypass the second security layer (where the
commands enabling communication between the browser and crunchy are
made up of random string generated uniquely at each new Crunchy
session).

If anyone is interested in security issues related to Crunchy, feel
free to
contact me directly.
 
?

=?iso-8859-1?B?QW5kcuk=?=

A new release (0.9.2) containing a very important security fix is
available
for Crunchy, at http://code.google.com/p/crunchy

Anyone using Crunchy *should* download this release.

Fairly detailed information about the security issue can be found
on the FAQ page included in Crunchy's release
(viewable from Crunchy's left menu).


André

Crunchy is an application that transforms an otherwise static
html page into an interactive Python session.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

New release: Crunchy 0.9 1
Crunchy 1.0 alpha 1 released 0
Crunchy release 0.9.1 0
Crunchy version 0.7 is here! 0
Crunchy 0.8 release 3
Crunchy release 0.9.8.6 0
Ann: Crunchy Frog 0.6 0
Crunchy release 0.9.8 0

Members online

No members online now.

Forum statistics

Threads
473,968
Messages
2,570,150
Members
46,697
Latest member
AugustNabo

Latest Threads

Top