Smalltalker trying to hack site

Nevin Pratt nevin at smalltalkpro.com
Mon Feb 3 03:44:52 UTC 2003


I thought this was interesting.  I found the following (which I've 
slightly edited for certain reasons) in my web logs today.  The 
individual evidentally knows something about Smalltalk.  They also know 
at least a little about Seaside (and thus apparantly also about Squeak). 
 They also appear to have at least a little bit of familiarity with 
Swikis (which I'm not running :-).  I wondered how long it would take 
before somebody tried something like this.

Note that if you load Seaside 2.x into your image (which I have done), 
as far as I know the 'config' app is still not protected by default.  If 
I had not disabled most of the seaside apps long ago (for this very 
security vulnerability), this hack attack would have succeeded.  Also 
note that one of the Seaside apps would have given them a fully 
functional Squeak class browser within their web browser, and thus they 
would have "owned" my server.  That's a warning to anybody else who uses 
Seaside.

Anyway, this person only spent a minute or so before giving up.

Nevin


> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:13 pm     downloads/3.Tools/',%20aUrl%20asString,'
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:13 pm     
> downloads/3.Tools/';nextPutAll:%20self%20info;nextPutAll:%20'
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:22 pm     downloads/3.Tools/',%20location,%20'
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:23 pm     downloads/3.Tools/',%20tmp,'
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:31 pm     
> downloads/3.Tools/',%20(self%20urlPattern%20copyReplaceAll:%20'*'%20with:%20'/command.html'),%20'
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:39 pm     downloads/3.Tools/@logout
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:39 pm     downloads/3.Tools/@ensure
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:45 pm     downloads/3.Tools/@reload
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:45 pm     
> downloads/3.Tools/inspect',%20(response%20queryStringForPageAt:%20request%20pageKey),'
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:50:57 pm     downloads/3.Tools/',aUrl,'
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 6:51 
> pm        downloads/3.Tools/@go
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:51:06 pm     seaside/config
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:51:10 pm     downloads/3.Tools/@edit:
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:51:18 pm     downloads/3.Tools/@remove:
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:51:19 pm     
> downloads/3.Tools/profile',%20(response%20queryStringForPageAt:%20request%20pageKey),%20'
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:51:21 pm     downloads/3.Tools/@foo
> a FileDoesNotExistException     63.148.99.230   2 February 2003, 
> 6:51:25 pm     /downloads/3.Tools/foo





More information about the Squeak-dev mailing list