Hi bmm, On Tue, Sep 29, 2009 at 5:45 PM, bmm <[email protected]> wrote:
> > Hi everybody, > > In the normal admin console I got some weird erorr urls, like "/var/ > jquery/).replac". They almost look like script injections for links > (so that if a link to the requested url would be created in the admin > console, clicking it would open up my account or something cool like > that). > > Appended to the end of this message is the source of the table showing > the urls. Following the links will send me to the admin log where the > filter it selects is not a valid regular expression and fails to show > up. So that is probably a bug. > Can you file a bug in the issue tracker at http://code.google.com/p/googleappengine/issues , please? > > I think the url escaping does not properly protect against regular > expression syntax, while the log viewer expects it to.That is just a > bug report, but I wanted to start a thread so I could ask whether the > links could be attack attempts? (Failed attempts to insert javascript > into the admin console or something weird like that, even though I > don't think it is currently possible without the "javascript:" prefix > in there :) ). > I think they're probably attempts to exploit injection vulnerabilities in your own app's code, not in the admin console. -Nick Johnson > Greets, > Bram > > =====HTML source from my admin console > > <table id="ae-dash-errors" class="ae-table ae-table-striped"> > <caption> > <strong> > Errors <a href="http://code.google.com/appengine/kb/ > general.html#erroruris" target="_blank"><img class="ae-help-icon" > src="/img/help.gif" alt="help" height="14" width="14"></a> > </strong> > </caption> > <colgroup> > <col> > <col id="ae-dash-errors-count-col"> > <col id="ae-dash-errors-percent-col"> > </colgroup> > <thead> > <tr> > <th scope="col">URI<span> </span></th> > <th scope="col" title="Total Number of Errors">Count<span> </ > span></th> > > <th scope="col" title="Percentage of Requests for this URI which > Resulted in Errors"> > % Errors > <span> > last 10 hrs > </span> > </th> > </tr> > </thead> > <tbody> > <tr> > <td> > <div class="ae-nowrap" title="/var/jquery/"> > <a href="/logs? > > include_req_logs=True&severity_level=&app_id=metamirrors&version_id=1.336318870400245231&logs_form=1&filter=path > %3A%22%2Fvar%2Fjquery%2F%22+status%3A%5B45%5D%5Cd > %5Cd&filter_type=labels&view=View">/var/jquery/</a> > </div> > </td> > <td> > > 4 > </td> > <td> > 100% > </td> > </tr> > <tr class="ae-even"> > <td> > <div class="ae-nowrap" title="/var/jquery/text/javascript"> > <a href="/logs? > > include_req_logs=True&severity_level=&app_id=metamirrors&version_id=1.336318870400245231&logs_form=1&filter=path > %3A%22%2Fvar%2Fjquery%2Ftext%2Fjavascript%22+status%3A%5B45%5D%5Cd > %5Cd&filter_type=labels&view=View">/var/jquery/text/ > javascript</a> > </div> > </td> > <td> > 1 > </td> > <td> > > 100% > </td> > </tr> > <tr> > <td> > <div class="ae-nowrap" title="/text/javascript"> > <a href="/logs? > > include_req_logs=True&severity_level=&app_id=metamirrors&version_id=1.336318870400245231&logs_form=1&filter=path > %3A%22%2Ftext%2Fjavascript%22+status%3A%5B45%5D%5Cd > %5Cd&filter_type=labels&view=View">/text/javascript</a> > </div> > </td> > <td> > 1 > </td> > <td> > 100% > </td> > </tr> > > <tr class="ae-even"> > <td> > <div class="ae-nowrap" title="/var/jquery/).replace(/%20/g,"> > <a href="/logs? > > include_req_logs=True&severity_level=&app_id=metamirrors&version_id=1.336318870400245231&logs_form=1&filter=path > %3A%22%2Fvar%2Fjquery%2F%29.replace%28%2F%2520%2Fg%2C%22+status%3A > %5B45%5D%5Cd%5Cd&filter_type=labels&view=View">/var/ > jquery/).replace(/%20/g,</a> > </div> > </td> > <td> > 1 > </td> > <td> > </td> > </tr> > <tr> > <td> > <div class="ae-nowrap" title="/).replace(/%20/g,"> > <a href="/logs? > > include_req_logs=True&severity_level=&app_id=metamirrors&version_id=1.336318870400245231&logs_form=1&filter=path > %3A%22%2F%29.replace%28%2F%2520%2Fg%2C%22+status%3A%5B45%5D%5Cd > %5Cd&filter_type=labels&view=View">/).replace(/%20/g,</a> > > </div> > </td> > <td> > 1 > </td> > <td> > </td> > </tr> > </tbody> > </table> > > > > -- Nick Johnson, Developer Programs Engineer, App Engine Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number: 368047 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
