[Python-Dev] FYI - wiki.python.org compromised
Robert Whitney
xnite at xnite.org
Thu Jan 10 21:27:06 CET 2013
To Whoever this may concern,
I believe the exploit in use on the Python Wiki could have been the
following remote arbitrary code execution exploit that myself and some
fellow researchers have been working with over the past few days. I'm
not sure if this has quite been reported to the Moin development team,
however this exploit would be triggered via a URL much like the following:
http://wiki.python.org/WikiSandBox?action=moinexec&c=uname%20-a
This URL of course would cause for the page to output the contents of
the command "uname -a". I think this is definitely worth your
researchers looking into, and please be sure to credit myself (Robert
'xnite' Whitney; http://xnite.org) for finding & reporting this
vulnerability.
Best of luck,
Robert 'xnite' Whitney
PS - If you have any further questions on this matter for me, please
feel free to us the contact information in my signature below or reply
to this email.
--
xnite (xnite at xnite.org)
Google Voice: 828-45-XNITE (96483)
Web: http://xnite.org
PGP Key: http://xnite.org/pgpkey
More information about the Python-Dev
mailing list