Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #40904

Re: An error when i switched from python v2.6.6 => v3.2.3

References (13 earlier) <mailman.3066.1362714922.2939.python-list@python.org> <513a33d7$0$30001$c3e8da3$5496439d@news.astraweb.com> <1a79c210-3c50-43bb-8a78-5d5ef60922ec@googlegroups.com> <mailman.3095.1362772967.2939.python-list@python.org> <85b5c606-a1c7-480b-a900-622f61751b87@googlegroups.com>
Date 2013-03-09 08:37 +1100
Subject Re: An error when i switched from python v2.6.6 => v3.2.3
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.3101.1362778641.2939.python-list@python.org> (permalink)

Show all headers | View raw

On Sat, Mar 9, 2013 at 7:31 AM, Νίκος Γκρ33κ <nikos.gr33k@gmail.com> wrote:
> I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
>
> I have added extra security by following some of your advice, i wonder if youc an hack it again!
>
> Fell free to try if i'am not tiring you please!

Something to think about: There are roughly seven billion people on
this planet. You are just one of them; Steven is just one more. This
entire mailing list/newsgroup amounts to the most miniscule fraction
of the earth's population.

There is NO WAY that you are the smartest or most devious person on
Earth. Also, the three hours that you put in are *nothing* compared to
the collective time that the rest of the world will spend fiddling
with your site. Even if all of python-list/c.l.p spent a few hours
trying to get around your site's security, that's still not a huge
amount compared to the whole planet's deviousness.

You cannot build web site security on the basis of "well, I couldn't
get around it, and I tried for a few hours". I had this argument with
my boss just yesterday; I pointed out that there was a place where
user input was being put into an HTML attribute without being properly
escaped (and demonstrated that putting &#65; into the input was
equivalent to putting A in), and he asked me how it could possibly be
exploited. My response: That does not matter. The mere fact that I
could provably show a difference WAS the problem. With that, a
determined attacker could potentially figure out a real exploit; it
does not matter that I wasn't able to do so.

You need to change your thinking about security/safety. Instead of
trying to filter/clean tainted input before passing it to a system()
call, you need to either whitelist BRUTALLY first (eg insist that the
string be one of a particular set of strings - and no, it's not
sufficient to make sure that it has only characters from a particular
set, though that's a good start), or just plain don't give tainted
strings to os.system().

What you have is a MASSIVE potential attack vector. It's quite
possibly unsalvageably dangerous.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 00:18 -0800
  Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 01:06 -0800
    Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 03:27 -0800
      Re: An error when i switched from python v2.6.6 => v3.2.3 "Michael Ross" <gmx@ross.cx> - 2013-03-07 12:51 +0100
        Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 04:25 -0800
          Re: An error when i switched from python v2.6.6 => v3.2.3 "Michael Ross" <gmx@ross.cx> - 2013-03-07 14:06 +0100
            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 05:22 -0800
              Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 00:43 +1100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 05:56 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:01 +1100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:11 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:13 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:17 +1100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:34 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:37 +1100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:44 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:48 +1100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:44 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:34 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:13 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:16 +1100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:11 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 05:56 -0800
            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 05:22 -0800
        Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 04:25 -0800
  Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:50 -0800
    Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:52 -0800
    Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:01 -0800
      Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 02:13 +1100
        Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:26 -0800
          Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 02:33 +1100
            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:57 -0800
              Re: An error when i switched from python v2.6.6 => v3.2.3 rh <richard_hubbe11@lavabit.com> - 2013-03-07 10:51 -0800
              Re: An error when i switched from python v2.6.6 => v3.2.3 Joel Goldstick <joel.goldstick@gmail.com> - 2013-03-07 13:57 -0500
              Re: An error when i switched from python v2.6.6 => v3.2.3 Joel Goldstick <joel.goldstick@gmail.com> - 2013-03-07 14:36 -0500
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 12:04 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-07 13:15 -0700
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 16:57 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Vito De Tullio <vito.detullio@gmail.com> - 2013-03-08 04:55 +0100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 22:54 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 22:54 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 22:56 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 18:01 +1100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 02:51 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 02:51 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 22:56 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-03-08 18:54 +0000
                Re: An error when i switched from python v2.6.6 => v3.2.3 info@cravendot.gr - 2013-03-08 11:19 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-08 13:01 -0700
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 12:31 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-09 08:37 +1100
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 19:18 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-03-09 03:27 +0000
                Re: An error when i switched from python v2.6.6 => v3.2.3 Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-03-09 05:05 +0000
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 23:56 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-03-09 12:43 +0000
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-09 06:16 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-09 06:16 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 rusi <rustompmody@gmail.com> - 2013-03-09 07:20 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 19:18 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-08 17:26 -0700
                Re: An error when i switched from python v2.6.6 => v3.2.3 nagia.retsina@gmail.com - 2013-03-08 19:15 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 nagia.retsina@gmail.com - 2013-03-08 19:15 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 12:31 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-08 13:04 -0700
                Re: An error when i switched from python v2.6.6 => v3.2.3 nagia.retsina@gmail.com - 2013-03-08 12:54 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 emile <emile@fenx.com> - 2013-03-08 14:13 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-08 17:18 -0700
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 19:17 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-03-09 03:33 +0000
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 19:17 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 16:57 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 12:04 -0800
            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:57 -0800
        Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:26 -0800
      Re: An error when i switched from python v2.6.6 => v3.2.3 John Gordon <gordon@panix.com> - 2013-03-07 15:55 +0000
        Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 08:00 -0800
          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 08:22 -0800
            Re: An error when i switched from python v2.6.6 => v3.2.3 Joel Goldstick <joel.goldstick@gmail.com> - 2013-03-07 12:41 -0500
            Re: An error when i switched from python v2.6.6 => v3.2.3 Joel Goldstick <joel.goldstick@gmail.com> - 2013-03-07 13:50 -0500

csiph-web