David The new source code is up Please go to the new tinyurl link on the site
Johanne On Mon, Jan 31, 2011 at 1:09 PM, David Gelvin <[email protected]>wrote: > Johanne, > > I see that you have already implemented a captcha. Blast. You've made > manipulating results much more difficult. > > One observation though- > You are executing one query against your DB that that includes the > concatenation of an http GET variable passed by the user. You don't do any > sort of data validation, escaping, or cleansing before you concatenate the > user supplied variable into your query string. I don't know anything about > the GQL syntax, but this seems ripe for injection. > > The two lines in question are: > > level = self.request.get('level') > pstations = db.GqlQuery("SELECT * FROM PollingStation WHERE "+level+"_name > >= :1 AND "+level+"_name < :2", query, query + u"\ufffd") > > David > > > On Mon, Jan 31, 2011 at 11:11 AM, David Gelvin <[email protected]>wrote: > >> >> On Fri, Jan 28, 2011 at 9:17 AM, Johanne Banda >> <[email protected]>wrote: >> >>> >>> Firstly David, Thank you very much for the "Otunnu Exploit" >>> That is why we open sourced the project. To get as much feed back as >>> possible and make the best project possible. >>> >>> The Exploit has been patched. >>> >>> Please continue to test the site and find the holes (if you find them we >>> will patch them) >>> >>> Less than a month to the elections and the input of the Techie community >>> is sorely needed. >>> >>> Johanne >>> >> >> Open source peer review at its finest. >> >> The fixes look like a good start- particularly not revealing the number of >> registered voters per polling station. The only sure-fire way to prevent >> automated submissions is to implement a captcha though. Scripts like this >> are the reason why captchas (no matter how obnoxious) exist. Cookies / >> user-agents can easily be modified for each submission. >> >> Also, thanks for receiving the feedback so amicably- many others wouldn't >> have. >> >> David >> > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is > believed to be clean. > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
