«

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
> Íßêïò Ãêñ33ê wrote:
>
>
>
> >> -c ''; rm -rf /; oops.py
>
> >
>
> > Yes its being pulled by http request!
>
> >
>
> > But please try to do it, i dont think it will work!
>
>
>
> try yourself and tell us what happened
>
>
>
> --
>
> ZeD

Someone with ip of:

dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18

as my cgi script tells me.

i think it was Chris Angelico

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 5:55:07 ð.ì. UTC+2, ï ÷ñÞóôçò Vito De Tullio Ýãñáøå:
> Íßêïò Ãêñ33ê wrote:
>
>
>
> >> -c ''; rm -rf /; oops.py
>
> >
>
> > Yes its being pulled by http request!
>
> >
>
> > But please try to do it, i dont think it will work!
>
>
>
> try yourself and tell us what happened
>
>
>
> --
>
> ZeD

Someone with ip of:

dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18

as my cgi script tells me.

i think it was Chris Angelico

On Fri, Mar 8, 2013 at 5:56 PM, Íßêïò Ãêñ33ê <> wrote:
> Someone with ip of:
>
> dslb-188-108-250-211.pools.arcor-ip.net Windows Opera 1 2013-03-08 03:19:18
>
> as my cgi script tells me.
>
> i think it was Chris Angelico

Nope, not me. As you'll be able to confirm in any number of ways, I'm
in Australia. Also, I use Chrome. That's someone else!

As a general rule, don't reveal people's IP addresses without
permission or good reason; it's unnecessarily breaking privacy.

ChrisA

I must thank the tester of my webisites's security!

He hacked it nicely and easily through tampering with 'htmlpage' variable's value!

Now i'am validating htmlpage's input value and i don't beleive its hackable any more!

Please feel free to try whoever want to!

Thnk you all for your patience with me and support provided!

I must thank the tester of my webisites's security!

He hacked it nicely and easily through tampering with 'htmlpage' variable's value!

Now i'am validating htmlpage's input value and i don't beleive its hackable any more!

Please feel free to try whoever want to!

Thnk you all for your patience with me and support provided!

On Fri, 08 Mar 2013 04:55:07 +0100, Vito De Tullio wrote:

> �ίκος Γκ�33κ wrote:
>
>>> -c ''; rm -rf /; oops.py
>>
>> Yes its being pulled by http request!
>>
>> But please try to do it, i dont think it will work!
>
> try yourself and tell us what happened


That's not very nice.

Please don't tell the newbies to destroy their system, no matter how
tempting it might be.




--
Steven

Τη Î*αÏ�ασκευή, 8 ΜαÏ�τίου 2013 8:54:15 μ.μ. UTC+2, ο χÏ�ήστης Steven D'Aprano Î*γÏ�αψε:
> On Fri, 08 Mar 2013 04:55:07 +0100, Vito De Tullio wrote:
>
>
>
> > �ίκος Γκ�33κ wrote:
>
> >
>
> >>> -c ''; rm -rf /; oops.py
>
> >>
>
> >> Yes its being pulled by http request!
>
> >>
>
> >> But please try to do it, i dont think it will work!
>
> >
>
> > try yourself and tell us what happened
>
>
>
>
>
> That's not very nice.
>
>
>
> Please don't tell the newbies to destroy their system, no matter how
>
> tempting it might be.
>
>
>
>
>
>
>
>
>
> --
>
> Steven

I dare anyone who wants to to mess with 'htmlpage' variable value's now!

I made it unhackable i believe!

I'am testing it myself 3 hours now and find it safe!

Please feel free to try also!

On Fri, Mar 8, 2013 at 12:19 PM, <> wrote:
> I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>
> I made it unhackable i believe!
>
> I'am testing it myself 3 hours now and find it safe!
>
> Please feel free to try also!

Okay, done. I was still able to read your source files, and I was
still able to write a file to your webserver. All I had to do was
change 'htmlpage' to 'page' in the example URLs I sent you before.
Validating the 'htmlpage' field does nothing if you also switch the
dispatch to the 'page' field.

And as far as the validation goes, from what I can see in the source,
it looks like you're just checking whether the string '.html' appears
in it somewhere. It's not hard at all to craft a malicious page
request that meets that.

As a start, try checking that the file actually exists before doing
anything with it, and that it is in one of the directories used by
your web server.

On Fri, Mar 8, 2013 at 1:01 PM, Ian Kelly <> wrote:
> On Fri, Mar 8, 2013 at 12:19 PM, <> wrote:
>> I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>>
>> I made it unhackable i believe!
>>
>> I'am testing it myself 3 hours now and find it safe!
>>
>> Please feel free to try also!
>
> Okay, done. I was still able to read your source files, and I was
> still able to write a file to your webserver. All I had to do was
> change 'htmlpage' to 'page' in the example URLs I sent you before.
> Validating the 'htmlpage' field does nothing if you also switch the
> dispatch to the 'page' field.
>
> And as far as the validation goes, from what I can see in the source,
> it looks like you're just checking whether the string '.html' appears
> in it somewhere. It's not hard at all to craft a malicious page
> request that meets that.
>
> As a start, try checking that the file actually exists before doing
> anything with it, and that it is in one of the directories used by
> your web server.

os.path.isfile will help with the former, while os.path.realname and
os.path.dirname will help with the latter.

Ôç ÐáñáóêåõÞ, 8 Ìáñôßïõ 2013 10:01:59 ì.ì. UTC+2, ï ÷ñÞóôçò Ian Ýãñáøå:
> On Fri, Mar 8, 2013 at 12:19 PM, <> wrote:
>
> > I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>
> >
>
> > I made it unhackable i believe!
>
> >
>
> > I'am testing it myself 3 hours now and find it safe!
>
> >
>
> > Please feel free to try also!
>
>
>
> Okay, done. I was still able to read your source files, and I was
>
> still able to write a file to your webserver. All I had to do was
>
> change 'htmlpage' to 'page' in the example URLs I sent you before.
>
> Validating the 'htmlpage' field does nothing if you also switch the
>
> dispatch to the 'page' field.
>
>
>
> And as far as the validation goes, from what I can see in the source,
>
> it looks like you're just checking whether the string '.html' appears
>
> in it somewhere. It's not hard at all to craft a malicious page
>
> request that meets that.
>
>
>
> As a start, try checking that the file actually exists before doing
>
> anything with it, and that it is in one of the directories used by
>
> your web server.

Thank you very much for pointing my flaws once again!

I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!

I have added extra security by following some of your advice, i wonder if youc an hack it again!

Fell free to try if i'am not tiring you please!