Thanks Steve for the lesson. I will be more careful next time. On Friday, September 6, 2013 5:46:47 PM UTC+2, Steven Kryskalla wrote: > > On Fri, Sep 6, 2013 at 2:54 AM, Markus Unterwaditzer > <[email protected] <javascript:>> wrote: > > Hello, > > > > While this is a great exercise, i would be careful to put something like > this > > on the internet, especially if there are other apps running on the same > system > > user. Things like this are crying for hackery and weird tricks to > execute any > > Python code on the server. Although i wasn't able to do so, somebody > smarter > > than me might make it :P > > > > Agreed, at the very least, it's very easy for someone to DoS you by > making an infinite loop in the template. At the worst, people can read > files & execute arbitrary code on the machine. > > I was able to read /etc/passwd and run "ls /home" (emailed you > off-list with proof). > > PyYAML may also have some code execution vulnerabilities. > > As useful as this tool is, you should take it offline or make sure > it's running in some kind of sandbox where you don't care if users can > get shell access. > > -Steve >
-- You received this message because you are subscribed to the Google Groups "pocoo-libs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pocoo-libs. For more options, visit https://groups.google.com/groups/opt_out.
