On Sat, Mar 9, 2013 at 7:31 AM, Νίκος Γκρ33κ <nikos.gr...@gmail.com> wrote: > I cant beleive how easy you hacked the webserver again and be able to read my > cgi scripts source and write to cgi-bin too! > > I have added extra security by following some of your advice, i wonder if > youc an hack it again! > > Fell free to try if i'am not tiring you please!
Something to think about: There are roughly seven billion people on this planet. You are just one of them; Steven is just one more. This entire mailing list/newsgroup amounts to the most miniscule fraction of the earth's population. There is NO WAY that you are the smartest or most devious person on Earth. Also, the three hours that you put in are *nothing* compared to the collective time that the rest of the world will spend fiddling with your site. Even if all of python-list/c.l.p spent a few hours trying to get around your site's security, that's still not a huge amount compared to the whole planet's deviousness. You cannot build web site security on the basis of "well, I couldn't get around it, and I tried for a few hours". I had this argument with my boss just yesterday; I pointed out that there was a place where user input was being put into an HTML attribute without being properly escaped (and demonstrated that putting A into the input was equivalent to putting A in), and he asked me how it could possibly be exploited. My response: That does not matter. The mere fact that I could provably show a difference WAS the problem. With that, a determined attacker could potentially figure out a real exploit; it does not matter that I wasn't able to do so. You need to change your thinking about security/safety. Instead of trying to filter/clean tainted input before passing it to a system() call, you need to either whitelist BRUTALLY first (eg insist that the string be one of a particular set of strings - and no, it's not sufficient to make sure that it has only characters from a particular set, though that's a good start), or just plain don't give tainted strings to os.system(). What you have is a MASSIVE potential attack vector. It's quite possibly unsalvageably dangerous. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
