Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.freenet.ag!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.019 X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'argument': 0.04; 'attribute': 0.05; 'sufficient': 0.05; 'scripts': 0.09; 'subject:error': 0.11; 'subject:python': 0.11; 'charset:iso-8859-7': 0.15; 'passing': 0.15; 'properly': 0.15; 'sat,': 0.15; '"well,': 0.16; 'advice,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'hacked': 0.16; 'set,': 0.16; 'subject:when': 0.16; 'string': 0.17; 'wrote:': 0.17; 'pointed': 0.17; 'hack': 0.18; 'input': 0.18; 'equivalent': 0.20; 'putting': 0.20; 'trying': 0.21; 'amounts': 0.22; 'fraction': 0.22; 'so.': 0.24; 'tried': 0.25; 'header:In-Reply-To:1': 0.25; 'am,': 0.27; 'plain': 0.27; 'possibly': 0.27; 'wonder': 0.27; 'message-id:@mail.gmail.com': 0.27; 'rest': 0.28; 'cgi': 0.29; 'escaped': 0.29; 'steven': 0.29; 'no,': 0.29; 'source': 0.29; 'figure': 0.30; '(and': 0.32; 'problem.': 0.32; 'could': 0.32; 'asked': 0.33; 'to:addr:python-list': 0.33; 'that,': 0.34; 'received:google.com': 0.34; 'compared': 0.35; 'massive': 0.35; 'received:209.85': 0.35; 'something': 0.35; 'there': 0.35; 'characters': 0.36; "wasn't": 0.36; 'does': 0.37; 'being': 0.37; 'quite': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'fact': 0.38; 'some': 0.38; 'sure': 0.38; 'instead': 0.39; 'to:addr:python.org': 0.39; 'build': 0.39; 'where': 0.40; 'think': 0.40; 'your': 0.60; 'easy': 0.60; 'skip:u 10': 0.60; 'most': 0.61; 'matter': 0.61; 'real': 0.61; 'first': 0.61; 'free': 0.61; 'more.': 0.62; 'world': 0.63; 'show': 0.63; 'boss': 0.65; 'matter.': 0.65; 'hours': 0.66; 'potentially': 0.66; '2013': 0.84; 'again!': 0.84; "earth's": 0.84; 'earth.': 0.84; "site's": 0.84; 'them;': 0.84; 'collective': 0.91 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=Wy9DVNr4mM8gvKDif0YRzR+GRtj2JNUV+4oS75ghRcY=; b=CzzOCojUUFyqHzYuZvJeVjQmL+h12mZz0t94xJ92bsCa4l1CBED9MvZjKL45ewL+R7 ZE5rp7WW4rveyL7iIrBUKlRUYio4QJSdsVd6bpwI4t/VwU7zjetrftqyk3V6TxpX7xV0 ksBQvQ7jhttzKesLlIEIIWox+GlsDHGU3wq6JXZvO/GF6gxeqNn3nyzTmtAYhiNVqwUH m2uY1eCM2+sZ4v2JIZgXQYmhWfkH1TeayJv64+1GGyOPV6+kulkbxjCV3p7RnrNqkAvG 1w1Z+laBGFJDkW0xbru49QZWy8uSacmsfFP7g+E13s15EacZSWkKzcr3d4Z9r9Y1+dRT DFtw== MIME-Version: 1.0 X-Received: by 10.58.56.161 with SMTP id b1mr1630680veq.42.1362778632135; Fri, 08 Mar 2013 13:37:12 -0800 (PST) In-Reply-To: <85b5c606-a1c7-480b-a900-622f61751b87@googlegroups.com> References: <8e17232e-5b24-4040-9215-c4bd89f34fa2@googlegroups.com> <622d4a2d-0014-4254-b211-c8fd66510f74@googlegroups.com> <33f153b4-4f54-429a-a92d-387b679bf758@googlegroups.com> <20130307105137.a6cae268f7f074fbf5017b1d@lavabit.com> <0074be2d-1f52-4626-bf53-fd9591f16bf7@googlegroups.com> <98cd9065-94b0-4fb6-b2fd-6ed96880242d@googlegroups.com> <513a33d7$0$30001$c3e8da3$5496439d@news.astraweb.com> <1a79c210-3c50-43bb-8a78-5d5ef60922ec@googlegroups.com> <85b5c606-a1c7-480b-a900-622f61751b87@googlegroups.com> Date: Sat, 9 Mar 2013 08:37:11 +1100 Subject: Re: An error when i switched from python v2.6.6 => v3.2.3 From: Chris Angelico To: python-list@python.org Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: quoted-printable X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 45 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1362778641 news.xs4all.nl 6933 [2001:888:2000:d::a6]:55432 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:40904 On Sat, Mar 9, 2013 at 7:31 AM, =CD=DF=EA=EF=F2 =C3=EA=F133=EA wrote: > I cant beleive how easy you hacked the webserver again and be able to rea= d my cgi scripts source and write to cgi-bin too! > > I have added extra security by following some of your advice, i wonder if= youc an hack it again! > > Fell free to try if i'am not tiring you please! Something to think about: There are roughly seven billion people on this planet. You are just one of them; Steven is just one more. This entire mailing list/newsgroup amounts to the most miniscule fraction of the earth's population. There is NO WAY that you are the smartest or most devious person on Earth. Also, the three hours that you put in are *nothing* compared to the collective time that the rest of the world will spend fiddling with your site. Even if all of python-list/c.l.p spent a few hours trying to get around your site's security, that's still not a huge amount compared to the whole planet's deviousness. You cannot build web site security on the basis of "well, I couldn't get around it, and I tried for a few hours". I had this argument with my boss just yesterday; I pointed out that there was a place where user input was being put into an HTML attribute without being properly escaped (and demonstrated that putting A into the input was equivalent to putting A in), and he asked me how it could possibly be exploited. My response: That does not matter. The mere fact that I could provably show a difference WAS the problem. With that, a determined attacker could potentially figure out a real exploit; it does not matter that I wasn't able to do so. You need to change your thinking about security/safety. Instead of trying to filter/clean tainted input before passing it to a system() call, you need to either whitelist BRUTALLY first (eg insist that the string be one of a particular set of strings - and no, it's not sufficient to make sure that it has only characters from a particular set, though that's a good start), or just plain don't give tainted strings to os.system(). What you have is a MASSIVE potential attack vector. It's quite possibly unsalvageably dangerous. ChrisA