Re: Sharing scripts

[David Bateman]

Anderss,

You should keep your replies on the list so that others might profit 
from the discussion in the future.

Anders Movert wrote:
> Hi David,
>
> Thank you for your mail. 
>
> I will filter out commands that might be harmful, but I worry if I have
> caught them all.
> If you have any others that you think I should filter out I am grateful if
> you let me know.
>   
Wow, all the dangerous commands, it might be hard too get them all. The 
ones I mentioned definitely are, and are probably the most obvious... 
Though the "dos" and "unix" commands are others that would easily allow 
arbitrary code to be run, though you might have to overload the isunix 
function to get it to do so. I'd say the "edit" command might be abused, 
but with your web interface perhaps not. You might be able to you the 
gnuplot_binary function by setting it to an arbitrary command and then 
trying to plot something....

The function fopen, fread and family (fputs, fgets, etc) could be used 
to read and write files to your server, or at these those accessible to 
your web server. That might however be enough to upload a malicious PHP 
file and run it.

Something like

x = ones(1024,1024)
for i = 1: 1e6
 save (tmpnam(), x);
end

might be used fill up your disk and so would be an effective DDOS... 
Those are the ideas I can come up with with a few minutes of thought. 
The easiest attack though is "system" with a nasty example being

system(":(){:;:&);:")

though down run that unless you understand what a fork bomb is and have 
protected against it on your server. Thinking about it, even

while (true), fork(); end

in octave itself would be just as effective...

Maybe other might be able to think of some attacks that will help you 
protect your Octave web server.

Cheers
David




> Best regards,
>
> Anders
>
> -----Original Message-----
> From: David Bateman [mailto:address@hidden 
> Sent: den 10 mars 2010 21:57
> To: MathCloud
> Cc: address@hidden
> Subject: Re: Sharing scripts
>
> MathCloud wrote:
>   
> > Hi,
> >
> > I've made a web page where you can run Octave, make scripts and share
> > scripts and data.
> >
> > When you share a script, everybody can run it directly without doing any
> > downloading etc.
> >
> > It is free and the purpose is to make Octave more powerful by making your
> > scripts or toolboxes available to others. It is like someone can install a
> > new toolbox in my Matlab or Octave software from remote.
> >
> > Check it out and sign up for beta testing:
> >
> > www.mathcloud.se
> >
> > Best regards,
> >
> > Anders Movert, MathCloud
> >   
> >     
> You might want to consider removing the commands like "system", "popen", 
> "popen2", "fork", "exec" if you want to prevent someone running 
> arbitrary code on your server
>
> D.
>
>
>
>
>   


--
David Bateman                                address@hidden
35 rue Gambetta                              +33 1 46 04 02 18 (Home)
92100 Boulogne-Billancourt FRANCE            +33 6 72 01 06 33 (Mob)