[NT] Serious Privacy Leak in Python for Windows

From: support@securiteam.com
Date: 01/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 25 Jan 2002 10:40:38 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Serious Privacy Leak in Python for Windows
------------------------------------------------------------------------

SUMMARY

There is a privacy leak problem in many Python implementations for Windows
that allow a malicious Web page or HTML email message to read the contents
of file from a user's hard drive and send the contents back to a Web site.
 The problem occurs in Windows Python implementations that support Python
as a scripting language for Web pages in Internet Explorer.

DETAILS

The problem exists because the Python runtime library does not consider
file read operations to be a security risk. File read operations are
allowed to execute on a Web page without restriction. File write
operations, on the other hand, are blocked.

For example, the following Python code on a Web page will run
successfully:

   <SCRIPT language=python>
   import __builtin__
   myfile = __builtin__.open("c:\\autoexec.bat")
   document.write(str(myfile.readlines()))
   myfile.close()
   </SCRIPT>

This particular example opens the file c:\autoexec.bat and writes the file
contents to the Web page. The program could easily be changed to send the
contents of the file back to a Web site by using an HTML form, a Web bug,
or the Microsoft XML HTTP ActiveX control.

Here is a second example that shows a directory listing of C:\ on a Web
page:

   <SCRIPT language=python>
   import os
   for file in os.listdir("c:\\"):
      document.writeln(file, "<br>");
   </SCRIPT>

This directory-listing example is available online to test to see if a
particular computer system is vulnerable to the problem or not:

    <http://www.computerbytesman.com/privacy/pythondirdemo.htm>
http://www.computerbytesman.com/privacy/pythondirdemo.htm

To fix this privacy leak, the Python runtime library should block all file
operations when Python code is being used on a Web page, not just file
write operations.

Workaround:
How can I configure client-side PerlScript security?

PerlScript in IE 4.0 and higher can be enabled/disabled by zones

    HKEY_LOCAL_MACHINE\SOFTWARE\ActiveState\PerlScript\1.0
    REG_DWORD: EnabledZones = 0x0010 (default)

Values

    Enable All 0x0001
    Enable Local 0x0010
    Enable Internet 0x0020
    Enable Trusted 0x0040
    Enable Restricted 0x0080 (for the perverse)

IE3 is more limited; it is an all or nothing affair. For IE3 the only
values recognized are

Values

    Disable All 0x0000
    Enable All 0x0001

ADDITIONAL INFORMATION

The information has been provided by <mailto:rms@COMPUTERBYTESMAN.COM>
Richard M. Smith and <mailto:rrothenberg@NOTES.CC.SUNYSB.EDU> Robert
Rothenberg.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages