Re: To whoever hacked into my Database

[Νίκος Αλεξόπουλος]

Στις 9/11/2013 8:37 πμ, ο/η Chris Angelico έγραψε:
On Sat, Nov 9, 2013 at 5:32 PM, Νίκος Αλεξόπουλος <nikos.gr...@gmail.com> wrote:
I'am not saying out of arrogance but i was really under the impression i had
secure my script.
And i had until i made some new changes last night, which i think i have
corrected now as we speak.

In other words, you closed off whatever you could see as being a
problem, and then boasted that the script was secure... until someone
proved to you that it wasn't. Your script is insecure by default, and
you're band-aid patching everything you happen to be made aware of.
What makes you think that it's now secure?

ChrisA



Its probably unwise to post the following snippet of code that validates 
user input so an attacker wouldn't pass arbitrary values to my script 
but what the heck.....

==================================
# initiate some local variables
htmlvalid = pyvalid = False
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'

# define how the .html or .python pages are called
file = form.getvalue('file')			# this value should come only from 
.htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
page = form.getvalue('page')			# this value comes from 'index.html' or 
from within 'metrites.py'

# is it a python file or an html template?
if page and os.path.exists( cgi_path + page ):
        pyvalid = True
elif os.path.exists( file ):
        page = file.replace( path, '' )
        htmlvalid = True
else:
        file = 'forbidden'

.....
.....

if 'forbidden' in file:
	print( '''<h2><font color=red>Δεν επιτρέπεται η απευθείας πρόσβαση στο 
script παρά μόνον μέσω της αρχικής σελίδας!	Ανακατεύθυνση σε 5...''' )
	print( '''<meta http-equiv="REFRESH" 
content="5;URL=http://superhost.gr";>''' )
        sys.exit(0)
==================================


Now, when it comes to database insertions i use this check to prevent 
bogus data:

==================================
if cookieID != 'some_secret_here' and ( htmlvalid or pyvalid ) and 
re.search( 
r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)', 
host ) is None:
==================================

Even if i get re-hacked i'll find a security alternative.


--
https://mail.python.org/mailman/listinfo/python-list