#1
  1. Business *****
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2005
    Location
    Denmark
    Posts
    222
    Rep Power
    10

    Research: Python vulnerabilities


    Hi... I'm currently doing some research on vulnerabilities for several programming languages... I'm not an enourmous programmer myself, and therefore, I'm asking you guys, if you would please give me any information you can on Python vulnerabilities, like : What functions you shouldn't use? (and alternatives for these), what methods you should use to prevent exploitation? etc.

    I really hope you'll help me here, I need all the information I can get.

    With regards
    Michael Mortensen
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Posts
    624
    Rep Power
    34
    What functions you shouldn't use? (and alternatives for these)
    exec(), eval(), and input() will all evaluate Python code, and really should not be called on user input, incase the user is malicious.

    There are no alternatives; don't execute user-provided code full stop.

    what methods you should use to prevent exploitation? etc.
    There's nothing that I can think of in Python off the top of my head; it has memory management so you don't get buffer overflow errors and such like...

    Other things are more to do with your design or connecting to other systems - e.g. if you are writing a program with user logins, make sure you don't store plain text passwords, and you should be careful with SQL when talking to a database when dynamically creating SQL from web input, say, but those aren't "Python the language" concerns, they apply to any language.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2004
    Location
    There where the rabbits jump
    Posts
    556
    Rep Power
    11
    for the input function their is the raw_input("...") which alot of beginners use.

    about exploitation, I cant really think of anything else either, except maybe the speed alittle it is not very fast (if i understand the question):P.
    Those people who think they know everything are a great annoyance to those of us who do.
  6. #4
  7. Mini me.
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2003
    Location
    Cambridge, UK
    Posts
    783
    Rep Power
    13
    If a user has physical access to the machine then Python is weaker than truely compiled code.

    Python is often distributed to users in plain text - this obviously is a vulnerability in a multi-user system and the system admin must take precautions (the same as for any shell script or configuration file).

    Some increased security is possible with distributing only bytecode files but that is weak as a hacker only has to insert a new text file to have it replaced.

    Python uses environment variables to define its search path for modules. In principle a hacker could change that path to allow substitution of their own modules. Or they could just write their own modules and drop them in somewhere in the existing search path that has not been locked down properly.

    Pre-compiled byte code modules are easily hacked to change values.

    The above could apply to any program/language that uses plain text, a modular approach and makes use of libraries of support modules or dlls.

    Python has an RPC module - in principle a remote machine could inject harmful data.

    Python has a number of internet modules that are not really hardened for general use. They are easy to use so its tempting to use them.

    grim
  8. #5
  9. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2005
    Posts
    611
    Rep Power
    65

    Smile


    Python is an "open source" language. The "open source" concept is sort of the opposite of, well, Microsoft or the Bush White House. The concept inherits a certain amount of vulnerability to the Knarl Roves of this world.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Nov 2004
    Location
    There where the rabbits jump
    Posts
    556
    Rep Power
    11
    I bet it does not influence it to much because they would not be botherd to go through millions of lines of C code.
    Those people who think they know everything are a great annoyance to those of us who do.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Posts
    461
    Rep Power
    25
    Python is a pretty secure implimentation of a language. Even with what Grim said, if a system is secured and read/write access is restricted properaly you wouldn't even have to worrie about a lot of the things he is talking about.

    Being that the most compiled form you get with python is a byte-code that is easer than a truly compiled app to be reversed. You can't really hide behind that fact that no one can see your code, like meny closed source companys such as M$ does. Which is good, because if the only time your program is secure is when no one can see the code, IMO that means you have no buisness releasing the code for public use and/or implementing it in any type of production use.

    Python sorta forces aurthers to write more secure code since that don't have that false layer of secuity there.

    Python isn't truly error pron like meny lower languages are, such as c or c++. Buffer overflows, a very common security hole in meny apps don't happen in python, and handling of user input can be very secure with very littel effort which lets lazy coders make better code.

    Overal I would sya python is pretty secure, still has the stupidy mistakes of the coder and implimenter, those I fear will never be able ot be fixed. However a well coded python app put into a secure restricted server will be pretty secure to most of the popular type of cracks.

IMN logo majestic logo threadwatch logo seochat tools logo