Johanne,
I see that you have already implemented a captcha. Blast. You've made
manipulating results much more difficult.
One observation though-
You are executing one query against your DB that that includes the
concatenation of an http GET variable passed by the user. You don't do any
sort of data validation, escaping, or cleansing before you concatenate the
user supplied variable into your query string. I don't know anything about
the GQL syntax, but this seems ripe for injection.
The two lines in question are:
level = self.request.get('level')
pstations = db.GqlQuery("SELECT * FROM PollingStation WHERE "+level+"_name
>= :1 AND "+level+"_name < :2", query, query + u"\ufffd")
David
On Mon, Jan 31, 2011 at 11:11 AM, David Gelvin <[email protected]>wrote:
>
> On Fri, Jan 28, 2011 at 9:17 AM, Johanne Banda
> <[email protected]>wrote:
>
>>
>> Firstly David, Thank you very much for the "Otunnu Exploit"
>> That is why we open sourced the project. To get as much feed back as
>> possible and make the best project possible.
>>
>> The Exploit has been patched.
>>
>> Please continue to test the site and find the holes (if you find them we
>> will patch them)
>>
>> Less than a month to the elections and the input of the Techie community
>> is sorely needed.
>>
>> Johanne
>>
>
> Open source peer review at its finest.
>
> The fixes look like a good start- particularly not revealing the number of
> registered voters per polling station. The only sure-fire way to prevent
> automated submissions is to implement a captcha though. Scripts like this
> are the reason why captchas (no matter how obnoxious) exist. Cookies /
> user-agents can easily be modified for each submission.
>
> Also, thanks for receiving the feedback so amicably- many others wouldn't
> have.
>
> David
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
The Uganda Linux User Group: http://linux.or.ug
Send messages to this mailing list by addressing e-mails to: [email protected]
Mailing list archives: http://www.mail-archive.com/[email protected]/
Mailing list settings: http://kym.net/mailman/listinfo/lug
To unsubscribe: http://kym.net/mailman/options/lug
The Uganda LUG mailing list is generously hosted by INFOCOM:
http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The mailing list host is not responsible for them in any
way.
