Στις 9/11/2013 9:54 πμ, ο/η Νίκος Αλεξόπουλος έγραψε:
Στις 9/11/2013 9:05 πμ, ο/η Νίκος Αλεξόπουλος έγραψε:
Στις 9/11/2013 8:37 πμ, ο/η Chris Angelico έγραψε:
On Sat, Nov 9, 2013 at 5:32 PM, Νίκος Αλεξόπουλος
<nikos.gr...@gmail.com> wrote:
I'am not saying out of arrogance but i was really under the
impression i had
secure my script.
And i had until i made some new changes last night, which i think i
have
corrected now as we speak.
In other words, you closed off whatever you could see as being a
problem, and then boasted that the script was secure... until someone
proved to you that it wasn't. Your script is insecure by default, and
you're band-aid patching everything you happen to be made aware of.
What makes you think that it's now secure?
ChrisA
Its probably unwise to post the following snippet of code that validates
user input so an attacker wouldn't pass arbitrary values to my script
but what the heck.....
==================================
# initiate some local variables
htmlvalid = pyvalid = False
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'
# define how the .html or .python pages are called
file = form.getvalue('file') # this value should come only
from .htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
page = form.getvalue('page') # this value comes from
'index.html' or from within 'metrites.py'
# is it a python file or an html template?
if page and os.path.exists( cgi_path + page ):
pyvalid = True
elif os.path.exists( file ):
page = file.replace( path, '' )
htmlvalid = True
else:
file = 'forbidden'
.....
.....
if 'forbidden' in file:
print( '''<h2><font color=red>Δεν επιτρέπεται η απευθείας πρόσβαση
στο script παρά μόνον μέσω της αρχικής σελίδας! Ανακατεύθυνση σε
5...''' )
print( '''<meta http-equiv="REFRESH"
content="5;URL=http://superhost.gr";>''' )
sys.exit(0)
==================================
Now, when it comes to database insertions i use this check to prevent
bogus data:
==================================
if cookieID != 'some_secret_here' and ( htmlvalid or pyvalid ) and
re.search(
r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)',
host ) is None:
==================================
Even if i get re-hacked i'll find a security alternative.
How on earth did the hacker managed to alter the database again:
http://superhost.gr/?show=stats
i can't ****ing believe it!
He is actually trying to read sensitive stuff from my linux server by
passing arguments into 'page' variable like '../../../../etc/passwd'
How was he able to pass that info again....?!?!
Okey mighty one!
Try to do the same thing again and be successfull.
i know what you did last summer!
You took advantage of this is statemnt:
if page and os.path.exists( cgi_path + page ):
and manages to pass arbitrary values to page by giving input
of '../../../../etc/passwd' ehich is actually translated as:
if page and os.path.exists( '/home/nikos/public_html/cgi-bin/' +
'../../../../etc/passwd' ):
So
1. you actually are passign a value to page
2. you passed value is in fact exist as a
'pathname/to/a/linux/sensitive/file'
I know what i have to do now:
Alter the if to soemthing like:
if page and os.path.isfile( cgi_path + page ) and page should only
allowed to be an actual file but only from within the 'cgi-bin' directory.
Hence, i altered the code to this:
if page and os.path.isfile( cgi_path + page ) in os.listdir( cgi_path ):
Try pass bogus values again into my database!
--
https://mail.python.org/mailman/listinfo/python-list
