[Tutor] hacking 101

Andrei Kulakov ak@silmarill.org
Mon, 1 Apr 2002 09:38:18 -0500 

On Sat, Mar 30, 2002 at 08:18:47PM -0500, kirk Bailey wrote:
> OK, comes now before you an unuual question.
> 
> I want to learn about hacking a computer.
> 
> See, I Want to complete the program for creating a list using a web
> form. BUT I kow that it is possible to insert escape codes and such to
> take over control and do unintended things, but I know nothing of how
> this is done. I WANT TO UNDERSTAND IT SO I CAN WATCH FOR SUCH ATTEMPTS
> AND ABORT THE PROCESS if they are detected. To PREVENT hcking, one
> must UNDERSTAND hacking. Any takers? Feel free to reply to me off list
> if you preferr.
> 
> 
> -- 
>  
> end
> 	    Respectfully,
> 			 Kirk D Bailey
>
Well, when I made an irc bot (that prints output of "fortune" command
and that sort of thing), I ran into a few exploits.. well actually kind
people of #python ran into a few exploits, but more to the point: I was
parsing variables and passing them to os.system() call and the problem
was that I only checked for ';' character there, thinking that the only
thing they could abuse was command of form fortune pattern; rm -rf /.
Evidently there's also stuff like $(rm -rf /.), and others I forget
about. Firstly, try not to use anything you got from user in an
os.system call. Secondly, if you do, only allow things that they
absolutely need, for instance only string.letters. If you need @ there,
add @. Be paranoid - instead of excluding dangerous stuff only include
safe things.

> 
> 
> +---------------------"Thou Art Free." -Eris----------------------+
> | http://www.howlermonkey.net mailto:highprimate@howlermonkey.net |
> | http://www.tinylist.org  +--------+  mailto:grumpy@tinylist.org |
> +------------------Thinking| NORMAL |Thinking---------------------+
>                            +--------+
> 
> NOTE: By sending SPAM to this address you agree to pay me a service
> fee of $100 for the service of receiving,  storing,  examining, and
> deleting your piece of SPAM. I am a postmaster, and take a dim view
> of such.
> 
> 
> _______________________________________________
> Tutor maillist  -  Tutor@python.org
> http://mail.python.org/mailman/listinfo/tutor
> 

-- 
Cymbaline: intelligent learning mp3 player - python, linux, console.
get it at: cy.silmarill.org