Τη Παρασκευή, 8 Μαρτίου 2013 10:01:59 μ.μ. UTC+2, ο χρήστης Ian έγραψε: > On Fri, Mar 8, 2013 at 12:19 PM, <i...@cravendot.gr> wrote: > > > I dare anyone who wants to to mess with 'htmlpage' variable value's now! > > > > > > I made it unhackable i believe! > > > > > > I'am testing it myself 3 hours now and find it safe! > > > > > > Please feel free to try also! > > > > Okay, done. I was still able to read your source files, and I was > > still able to write a file to your webserver. All I had to do was > > change 'htmlpage' to 'page' in the example URLs I sent you before. > > Validating the 'htmlpage' field does nothing if you also switch the > > dispatch to the 'page' field. > > > > And as far as the validation goes, from what I can see in the source, > > it looks like you're just checking whether the string '.html' appears > > in it somewhere. It's not hard at all to craft a malicious page > > request that meets that. > > > > As a start, try checking that the file actually exists before doing > > anything with it, and that it is in one of the directories used by > > your web server.
Thank you very much for pointing my flaws once again! I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too! I have added extra security by following some of your advice, i wonder if youc an hack it again! Fell free to try if i'am not tiring you please! -- http://mail.python.org/mailman/listinfo/python-list
