Python cross-site scripting exploits?

Ian Bicking ianb at colorstudy.com
Thu May 23 12:50:28 EDT 2002 

On Thu, 2002-05-23 at 03:18, Robin Becker wrote:
> A while back I asked if there were any obvious vulnerabilities in Python
> cgi scripting. At the time it seemed no-one would respond positively,
> but I see that recently both Mailman and viewCVS have been exploited.
> 
> mailman has compile stuff, but isn't viewCVS pure Python?
> 
> The viewCVS exploit is detailed here
> 
>         http://lwn.net/2002/0523/a/viewcvs.php3
> 
> Can some wizard kindly explain exactly how the client CGI is made
> responsible for security defence against bad URLs. It seems to me that
> the client browser should be responsible, but apparently not.

You have to be a little careful about expecting even minimally valid
input, since an attacker can submit invalid data.  However, in this case
the victim has to follow the invalid link, so it is the browser's fault
that it submits invalid data.  OTOH, I have seen numerous places where
poorly-written scripts depend on embedding <>'s in attributes, and
browsers tend to be forgiving of HTML authors' mistakes.  

> The alleged fix seems to involve more complete argument checking, is
> that required for any such defence? What should the request response be?

In almost all exploits like this, the solution is to do proper quoting,
not argument checking.  Otherwise you make valid input illegal. 
Sometimes this "valid" input is borderline, and you may not want to
include it anyway... but filenames like "test>out" are valid (but
require quoting in the shell -- but not in open!).  Many people don't
expect characters like " or <> in their input, but later on they might
be appropriate (e.g., someone entering their name as Jesse "The Body"
Ventura)

This quoting can't be done generally, as different places need different
quoting -- the most common being URL quoting, HTML quoting, shell
quoting, and SQL quoting.

PHP does try to do general quoting -- I can't remember the setting, but
it's common for it to be set up to do backslash quoting of all input. 
However, this is stupid.  Backslash quoting does nothing for HTML
output.  You'll often see PHP-generated pages where ' is replaced with
\', usually inappropriately.  It only helps in SQL and shell commands. 
I find the shell to be horribly inappropriate for CGI programs anyway --
os.popen can take a list for the first argument, which is superior and
avoids most exploits (but you should be careful about -X options).  SQL
quoting is obnoxious, because you often will construct a SQL statement
from multiple sources, some of which come from the user (and are
\-quoted) and some which to not.  If you double-quote the user's input,
you will again get spurious \'s (since input like "joe'; arbitrary sql"
will become "joe\'; arbitrary sql" and then "'joe\\\'; arbitrary sql'")

Perl's tainting is better, but simple thoughtfulness is sufficient,
IMHO.  And thorough quoting.

  Ian

More information about the Python-list mailing list