On Fri, Sep 6, 2013 at 2:54 AM, Markus Unterwaditzer <[email protected]> wrote: > Hello, > > While this is a great exercise, i would be careful to put something like this > on the internet, especially if there are other apps running on the same system > user. Things like this are crying for hackery and weird tricks to execute any > Python code on the server. Although i wasn't able to do so, somebody smarter > than me might make it :P >
Agreed, at the very least, it's very easy for someone to DoS you by making an infinite loop in the template. At the worst, people can read files & execute arbitrary code on the machine. I was able to read /etc/passwd and run "ls /home" (emailed you off-list with proof). PyYAML may also have some code execution vulnerabilities. As useful as this tool is, you should take it offline or make sure it's running in some kind of sandbox where you don't care if users can get shell access. -Steve -- You received this message because you are subscribed to the Google Groups "pocoo-libs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pocoo-libs. For more options, visit https://groups.google.com/groups/opt_out.
