[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sharing scripts
From: |
David Bateman |
Subject: |
Re: Sharing scripts |
Date: |
Fri, 12 Mar 2010 16:12:26 +0100 |
User-agent: |
Mozilla-Thunderbird 2.0.0.22 (X11/20090706) |
Anderss,
You should keep your replies on the list so that others might profit
from the discussion in the future.
Anders Movert wrote:
Hi David,
Thank you for your mail.
I will filter out commands that might be harmful, but I worry if I have
caught them all.
If you have any others that you think I should filter out I am grateful if
you let me know.
Wow, all the dangerous commands, it might be hard too get them all. The
ones I mentioned definitely are, and are probably the most obvious...
Though the "dos" and "unix" commands are others that would easily allow
arbitrary code to be run, though you might have to overload the isunix
function to get it to do so. I'd say the "edit" command might be abused,
but with your web interface perhaps not. You might be able to you the
gnuplot_binary function by setting it to an arbitrary command and then
trying to plot something....
The function fopen, fread and family (fputs, fgets, etc) could be used
to read and write files to your server, or at these those accessible to
your web server. That might however be enough to upload a malicious PHP
file and run it.
Something like
x = ones(1024,1024)
for i = 1: 1e6
save (tmpnam(), x);
end
might be used fill up your disk and so would be an effective DDOS...
Those are the ideas I can come up with with a few minutes of thought.
The easiest attack though is "system" with a nasty example being
system(":(){:;:&);:")
though down run that unless you understand what a fork bomb is and have
protected against it on your server. Thinking about it, even
while (true), fork(); end
in octave itself would be just as effective...
Maybe other might be able to think of some attacks that will help you
protect your Octave web server.
Cheers
David
Best regards,
Anders
-----Original Message-----
From: David Bateman [mailto:address@hidden
Sent: den 10 mars 2010 21:57
To: MathCloud
Cc: address@hidden
Subject: Re: Sharing scripts
MathCloud wrote:
Hi,
I've made a web page where you can run Octave, make scripts and share
scripts and data.
When you share a script, everybody can run it directly without doing any
downloading etc.
It is free and the purpose is to make Octave more powerful by making your
scripts or toolboxes available to others. It is like someone can install a
new toolbox in my Matlab or Octave software from remote.
Check it out and sign up for beta testing:
www.mathcloud.se
Best regards,
Anders Movert, MathCloud
You might want to consider removing the commands like "system", "popen",
"popen2", "fork", "exec" if you want to prevent someone running
arbitrary code on your server
D.
--
David Bateman address@hidden
35 rue Gambetta +33 1 46 04 02 18 (Home)
92100 Boulogne-Billancourt FRANCE +33 6 72 01 06 33 (Mob)
Re: Sharing scripts, Jaroslav Hajek, 2010/03/11
Re: Sharing scripts, Michael Creel, 2010/03/13
Re: Sharing scripts, Søren Hauberg, 2010/03/13
Re: Sharing scripts, MathCloud, 2010/03/14