Smalltalker trying to hack site
Nevin Pratt
nevin at smalltalkpro.com
Mon Feb 3 03:44:52 UTC 2003
I thought this was interesting. I found the following (which I've
slightly edited for certain reasons) in my web logs today. The
individual evidentally knows something about Smalltalk. They also know
at least a little about Seaside (and thus apparantly also about Squeak).
They also appear to have at least a little bit of familiarity with
Swikis (which I'm not running :-). I wondered how long it would take
before somebody tried something like this.
Note that if you load Seaside 2.x into your image (which I have done),
as far as I know the 'config' app is still not protected by default. If
I had not disabled most of the seaside apps long ago (for this very
security vulnerability), this hack attack would have succeeded. Also
note that one of the Seaside apps would have given them a fully
functional Squeak class browser within their web browser, and thus they
would have "owned" my server. That's a warning to anybody else who uses
Seaside.
Anyway, this person only spent a minute or so before giving up.
Nevin
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:13 pm downloads/3.Tools/',%20aUrl%20asString,'
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:13 pm
> downloads/3.Tools/';nextPutAll:%20self%20info;nextPutAll:%20'
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:22 pm downloads/3.Tools/',%20location,%20'
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:23 pm downloads/3.Tools/',%20tmp,'
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:31 pm
> downloads/3.Tools/',%20(self%20urlPattern%20copyReplaceAll:%20'*'%20with:%20'/command.html'),%20'
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:39 pm downloads/3.Tools/@logout
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:39 pm downloads/3.Tools/@ensure
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:45 pm downloads/3.Tools/@reload
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:45 pm
> downloads/3.Tools/inspect',%20(response%20queryStringForPageAt:%20request%20pageKey),'
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:50:57 pm downloads/3.Tools/',aUrl,'
> a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51
> pm downloads/3.Tools/@go
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:51:06 pm seaside/config
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:51:10 pm downloads/3.Tools/@edit:
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:51:18 pm downloads/3.Tools/@remove:
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:51:19 pm
> downloads/3.Tools/profile',%20(response%20queryStringForPageAt:%20request%20pageKey),%20'
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:51:21 pm downloads/3.Tools/@foo
> a FileDoesNotExistException 63.148.99.230 2 February 2003,
> 6:51:25 pm /downloads/3.Tools/foo
More information about the Squeak-dev
mailing list
|