I thought this was interesting. I found the following (which I've slightly edited for certain reasons) in my web logs today. The individual evidentally knows something about Smalltalk. They also know at least a little about Seaside (and thus apparantly also about Squeak). They also appear to have at least a little bit of familiarity with Swikis (which I'm not running :-). I wondered how long it would take before somebody tried something like this.
Note that if you load Seaside 2.x into your image (which I have done), as far as I know the 'config' app is still not protected by default. If I had not disabled most of the seaside apps long ago (for this very security vulnerability), this hack attack would have succeeded. Also note that one of the Seaside apps would have given them a fully functional Squeak class browser within their web browser, and thus they would have "owned" my server. That's a warning to anybody else who uses Seaside.
Anyway, this person only spent a minute or so before giving up.
Nevin
a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:13 pm downloads/3.Tools/',%20aUrl%20asString,' a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:13 pm downloads/3.Tools/';nextPutAll:%20self%20info;nextPutAll:%20' a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:22 pm downloads/3.Tools/',%20location,%20' a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:23 pm downloads/3.Tools/',%20tmp,' a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:31 pm downloads/3.Tools/',%20(self%20urlPattern%20copyReplaceAll:%20'*'%20with:%20'/command.html'),%20' a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:39 pm downloads/3.Tools/@logout a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:39 pm downloads/3.Tools/@ensure a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:45 pm downloads/3.Tools/@reload a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:45 pm downloads/3.Tools/inspect',%20(response%20queryStringForPageAt:%20request%20pageKey),' a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:50:57 pm downloads/3.Tools/',aUrl,' a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51 pm downloads/3.Tools/@go a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51:06 pm seaside/config a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51:10 pm downloads/3.Tools/@edit: a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51:18 pm downloads/3.Tools/@remove: a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51:19 pm downloads/3.Tools/profile',%20(response%20queryStringForPageAt:%20request%20pageKey),%20' a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51:21 pm downloads/3.Tools/@foo a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51:25 pm /downloads/3.Tools/foo
On Sun, 2 Feb 2003, Nevin Pratt wrote:
Note that if you load Seaside 2.x into your image (which I have done), as far as I know the 'config' app is still not protected by default.
It is protected, but only with a default password, of course - if you don't change this you're still vulnerable to those in the know.
Your urls don't look like someone trying to hack into a Seaside app, though - pasting bits of Smalltalk code into the url would *never* do anything useful. So I'm not sure about your conclusion that this person was familiar with Squeak. As you point out, however, an unsecured Seaside server does give you pretty complete tools access (which is extremely useful during development, but definitely wants to be locked down for deployment).
Avi
Avi Bryant wrote:
Your urls don't look like someone trying to hack into a Seaside app,
The following does:
a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51:06 pm seaside/config
How did they know to plug in 'seaside/config'? They knew a bit about Seaside to even know about 'seaside/config'. And by association, they probably also knew at least a little about Squeak.
Nevin
On Sun, 2 Feb 2003, Nevin Pratt wrote:
Your urls don't look like someone trying to hack into a Seaside app,
The following does:
a FileDoesNotExistException 63.148.99.230 2 February 2003, 6:51:06 pm seaside/config
How did they know to plug in 'seaside/config'? They knew a bit about Seaside to even know about 'seaside/config'. And by association, they probably also knew at least a little about Squeak.
You're right, I didn't see that one.
squeak-dev@lists.squeakfoundation.org