Python cross-site scripting exploits?
Robin Becker
robin at jessikat.fsnet.co.uk
Thu May 23 04:18:01 EDT 2002
A while back I asked if there were any obvious vulnerabilities in Python
cgi scripting. At the time it seemed no-one would respond positively,
but I see that recently both Mailman and viewCVS have been exploited.
mailman has compile stuff, but isn't viewCVS pure Python?
The viewCVS exploit is detailed here
http://lwn.net/2002/0523/a/viewcvs.php3
Can some wizard kindly explain exactly how the client CGI is made
responsible for security defence against bad URLs. It seems to me that
the client browser should be responsible, but apparently not.
The alleged fix seems to involve more complete argument checking, is
that required for any such defence? What should the request response be?
--
Robin Becker
More information about the Python-list
mailing list