An error when i switched from python v2.6.6 => v3.2.3

  • Thread starter Íßêïò Ãêñ33ê
  • Start date
Í

Íßêïò Ãêñ33ê

Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 9:36:33 ì.ì. UTC+2, ï ÷ñÞóôçò Joel Goldstick Ýãñáøå:
 So, I see you fixed the problem.  How?

Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:

os.system( 'python %s > %s' % (htmlpage, temp) )
f = open( temp )
htmldata = f.read()
htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )
 
Í

Íßêïò Ãêñ33ê

Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 9:36:33 ì.ì. UTC+2, ï ÷ñÞóôçò Joel Goldstick Ýãñáøå:
 So, I see you fixed the problem.  How?

Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:

os.system( 'python %s > %s' % (htmlpage, temp) )
f = open( temp )
htmldata = f.read()
htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )
 
I

Ian Kelly

Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 9:36:33 ì.ì. UTC+2, ï ÷ñÞóôçò Joel Goldstick Ýãñáøå:


Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:

os.system( 'python %s > %s' % (htmlpage, temp) )
f = open( temp )
htmldata = f.read()
htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )

If htmlpage is being pulled from the HTTP request as I think it is,
then you have a code injection vulnerability here. Think what could
happen if htmlpage were something like this:

-c ''; rm -rf /; oops.py
 
Í

Íßêïò Ãêñ33ê

Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 10:15:11 ì.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:
If htmlpage is being pulled from the HTTP request as I think it is,

then you have a code injection vulnerability here. Think what could

happen if htmlpage were something like this:



-c ''; rm -rf /; oops.py

Yes its being pulled by http request!

But please try to do it, i dont think it will work!
 
Í

Íßêïò Ãêñ33ê

Ôç ÐÝìðôç, 7 Ìáñôßïõ 2013 10:15:11 ì.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:
If htmlpage is being pulled from the HTTP request as I think it is,

then you have a code injection vulnerability here. Think what could

happen if htmlpage were something like this:



-c ''; rm -rf /; oops.py

Yes its being pulled by http request!

But please try to do it, i dont think it will work!
 
V

Vito De Tullio

Îίκος ΓκÏ33κ said:
Yes its being pulled by http request!

But please try to do it, i dont think it will work!

try yourself and tell us what happened
 
Í

Íßêïò Ãêñ33ê

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
Íßêïò Ãêñ33ê wrote:






try yourself and tell us what happened

What command should i issue to try code injection?
someone tried it yesterday but it didnt work.
 
Í

Íßêïò Ãêñ33ê

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
Íßêïò Ãêñ33ê wrote:






try yourself and tell us what happened

What command should i issue to try code injection?
someone tried it yesterday but it didnt work.
 
Í

Íßêïò Ãêñ33ê

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
Íßêïò Ãêñ33ê wrote:






try yourself and tell us what happened

Someone with ip of:

dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18

as my cgi script tells me.

i think it was Chris Angelico :)
 
Í

Íßêïò Ãêñ33ê

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
Íßêïò Ãêñ33ê wrote:






try yourself and tell us what happened

Someone with ip of:

dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18

as my cgi script tells me.

i think it was Chris Angelico :)
 
C

Chris Angelico

Someone with ip of:

dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18

as my cgi script tells me.

i think it was Chris Angelico :)

Nope, not me. As you'll be able to confirm in any number of ways, I'm
in Australia. Also, I use Chrome. That's someone else!

As a general rule, don't reveal people's IP addresses without
permission or good reason; it's unnecessarily breaking privacy.

ChrisA
 
Í

Íßêïò Ãêñ33ê

I must thank the tester of my webisites's security!

He hacked it nicely and easily through tampering with 'htmlpage' variable's value!

Now i'am validating htmlpage's input value and i don't beleive its hackable any more!

Please feel free to try whoever want to!

Thnk you all for your patience with me and support provided!
 
Í

Íßêïò Ãêñ33ê

I must thank the tester of my webisites's security!

He hacked it nicely and easily through tampering with 'htmlpage' variable's value!

Now i'am validating htmlpage's input value and i don't beleive its hackable any more!

Please feel free to try whoever want to!

Thnk you all for your patience with me and support provided!
 
S

Steven D'Aprano

try yourself and tell us what happened


That's not very nice.

Please don't tell the newbies to destroy their system, no matter how
tempting it might be.
 
I

info

Τη ΠαÏασκευή, 8 ΜαÏτίου 2013 8:54:15 μ.μ. UTC+2, ο χÏήστης Steven D'Aprano έγÏαψε:
That's not very nice.



Please don't tell the newbies to destroy their system, no matter how

tempting it might be.

I dare anyone who wants to to mess with 'htmlpage' variable value's now!

I made it unhackable i believe!

I'am testing it myself 3 hours now and find it safe!

Please feel free to try also!
 
I

Ian Kelly

I dare anyone who wants to to mess with 'htmlpage' variable value's now!

I made it unhackable i believe!

I'am testing it myself 3 hours now and find it safe!

Please feel free to try also!

Okay, done. I was still able to read your source files, and I was
still able to write a file to your webserver. All I had to do was
change 'htmlpage' to 'page' in the example URLs I sent you before.
Validating the 'htmlpage' field does nothing if you also switch the
dispatch to the 'page' field.

And as far as the validation goes, from what I can see in the source,
it looks like you're just checking whether the string '.html' appears
in it somewhere. It's not hard at all to craft a malicious page
request that meets that.

As a start, try checking that the file actually exists before doing
anything with it, and that it is in one of the directories used by
your web server.
 
I

Ian Kelly

Okay, done. I was still able to read your source files, and I was
still able to write a file to your webserver. All I had to do was
change 'htmlpage' to 'page' in the example URLs I sent you before.
Validating the 'htmlpage' field does nothing if you also switch the
dispatch to the 'page' field.

And as far as the validation goes, from what I can see in the source,
it looks like you're just checking whether the string '.html' appears
in it somewhere. It's not hard at all to craft a malicious page
request that meets that.

As a start, try checking that the file actually exists before doing
anything with it, and that it is in one of the directories used by
your web server.

os.path.isfile will help with the former, while os.path.realname and
os.path.dirname will help with the latter.
 
Í

Íßêïò Ãêñ33ê

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 10:01:59 ì.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:
Okay, done. I was still able to read your source files, and I was

still able to write a file to your webserver. All I had to do was

change 'htmlpage' to 'page' in the example URLs I sent you before.

Validating the 'htmlpage' field does nothing if you also switch the

dispatch to the 'page' field.



And as far as the validation goes, from what I can see in the source,

it looks like you're just checking whether the string '.html' appears

in it somewhere. It's not hard at all to craft a malicious page

request that meets that.



As a start, try checking that the file actually exists before doing

anything with it, and that it is in one of the directories used by

your web server.

Thank you very much for pointing my flaws once again!

I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!

I have added extra security by following some of your advice, i wonder if youc an hack it again!

Fell free to try if i'am not tiring you please!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top