Serious privacy leak in Python for Windows

From: Richard M. Smith (rmsat_private)
Date: Tue Jan 15 2002 - 11:48:05 PST

Next message: Mandrake Linux Security Team: "MDKSA-2002:003 - sudo update"

Previous message: secureat_private: "[CLA-2002:451] Conectiva Linux Security Announcement - sudo"
Next in thread: Alan Caulkins: "Re: Serious privacy leak in Python for Windows"
Reply: Alan Caulkins: "Re: Serious privacy leak in Python for Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

There is a privacy leak problem in many Python implementations 
for Windows which allow a malicious Web page or HTML email message 
to read the contents of file from a user's hard drive and send the 
contents back to a Web site.  The problem occurs in Windows Python 
implementations that supports Python as a scripting language for Web 
pages in Internet Explorer.  

The problem exists because the Python runtime library does not 
consider file read operations to be a security risk.  File read 
operations are allowed to execute on a Web page without restriction.  
File write operations, on the other hand, are blocked.

For example, the following Python code on a Web page will
run successfully:

   <SCRIPT language=python>
   import __builtin__
   myfile = __builtin__.open("c:\\autoexec.bat")
   document.write(str(myfile.readlines()))
   myfile.close()
   </SCRIPT>

This particular example opens the file c:\autoexec.bat and writes 
the file contents to the Web page.  The program could easily 
be changed to send the contents of the file back to a Web site 
by using an HTML form, a Web bug, or the Microsoft XML HTTP 
ActiveX control.

Here is a second example, that shows a directory listing of C:\ on a Web
page:

   <SCRIPT language=python>
   import os
   for file in os.listdir("c:\\"):
      document.writeln(file, "<br>");
   </SCRIPT>

This directory listing example is available online to test to see 
if a particular computer system is vulnerable to the problem or not:

   http://www.computerbytesman.com/privacy/pythondirdemo.htm

To fix this privacy leak, the Python runtime library should block 
all file operations when Python code is being used on a Web page, 
not just file write operations.

There might also be workarounds to this problem either in 
Microsoft's ActiveScripting support in IE or in the Python 
runtime library.  However, I am not an expert on either 
technology to know what these work-arounds might be.  Please 
drop me an email if you have any suggestions.

Richard M. Smith
http://www.computerbytesman.com

Next message: Mandrake Linux Security Team: "MDKSA-2002:003 - sudo update"
Previous message: secureat_private: "[CLA-2002:451] Conectiva Linux Security Announcement - sudo"
Next in thread: Alan Caulkins: "Re: Serious privacy leak in Python for Windows"
Reply: Alan Caulkins: "Re: Serious privacy leak in Python for Windows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 20:25:30 PST