To whoever hacked into my Database

Νίκος Αλεξόπουλος nikos.gr33k at gmail.com
Sat Nov 9 02:05:51 EST 2013 

Στις 9/11/2013 8:37 πμ, ο/η Chris Angelico έγραψε:
> On Sat, Nov 9, 2013 at 5:32 PM, Νίκος Αλεξόπουλος <nikos.gr33k at gmail.com> wrote:
>> I'am not saying out of arrogance but i was really under the impression i had
>> secure my script.
>>
>> And i had until i made some new changes last night, which i think i have
>> corrected now as we speak.
>
> In other words, you closed off whatever you could see as being a
> problem, and then boasted that the script was secure... until someone
> proved to you that it wasn't. Your script is insecure by default, and
> you're band-aid patching everything you happen to be made aware of.
> What makes you think that it's now secure?
>
> ChrisA
>


Its probably unwise to post the following snippet of code that validates 
user input so an attacker wouldn't pass arbitrary values to my script 
but what the heck.....

==================================
# initiate some local variables
htmlvalid = pyvalid = False
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'

# define how the .html or .python pages are called
file = form.getvalue('file')			# this value should come only from 
.htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
page = form.getvalue('page')			# this value comes from 'index.html' or 
from within 'metrites.py'

# is it a python file or an html template?
if page and os.path.exists( cgi_path + page ):
	pyvalid = True
elif os.path.exists( file ):
	page = file.replace( path, '' )
	htmlvalid = True
else:
	file = 'forbidden'

.....
.....

if 'forbidden' in file:
	print( '''<h2><font color=red>Δεν επιτρέπεται η απευθείας πρόσβαση στο 
script παρά μόνον μέσω της αρχικής σελίδας!	Ανακατεύθυνση σε 5...''' )
	print( '''<meta http-equiv="REFRESH" 
content="5;URL=http://superhost.gr">''' )
	sys.exit(0)
==================================


Now, when it comes to database insertions i use this check to prevent 
bogus data:

==================================
if cookieID != 'some_secret_here' and ( htmlvalid or pyvalid ) and 
re.search( 
r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)', 
host ) is None:
==================================

Even if i get re-hacked i'll find a security alternative.

More information about the Python-list mailing list