473,394 Members | 1,302 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,394 software developers and data experts.

Crunchy security advisory

A security hole has been uncovered in Crunchy (version 0.9.1.1 and
earlier).

Anyone using Crunchy to browse web tutorials should only visit sites
that are trustworthy.

We are working hard at fixing the hole; a new release addressing the
problems that have
been found should be forthcoming shortly.

André
-----

The security problem is as follows:

In theory, a web page could contain some javascript code (or link to
such code) that would bypass Crunchy's filter to be executed by the
browser. If that is the case, the javascript code could be designed
to send some
Python code directly to the Python backend (i.e. without the Crunchy
user pressing a button, or having the chance to view the code to be
executed) so that it is executed. Such code could result in deleting
the entire files or installing some virus on the user's machine.

At the moment, the risk is pretty low. Crunchy already removes all
obvious (and most non-obvious) javascript code, links to such code,
etc. The holes found require the use of some uncommon combination of
html and css code, with a particular knowledge of Firefox.

(Note that browsers other than Firefox are likely to be even more
vulnerable).

Furthermore, Crunchy is not that well known that it is likely to
be a target by a cracker that would 1) write a "tutorial" interesting
enough to lure current Crunchy users (who, at this point, are
likely to include only advanced Python users) and 2) write some fairly
involved
javascript code to bypass the second security layer (where the
commands enabling communication between the browser and crunchy are
made up of random string generated uniquely at each new Crunchy
session).

If anyone is interested in security issues related to Crunchy, feel
free to
contact me directly.

Jul 28 '07 #1
1 1225
A new release (0.9.2) containing a very important security fix is
available
for Crunchy, at http://code.google.com/p/crunchy

Anyone using Crunchy *should* download this release.

Fairly detailed information about the security issue can be found
on the FAQ page included in Crunchy's release
(viewable from Crunchy's left menu).
André

Crunchy is an application that transforms an otherwise static
html page into an interactive Python session.
On Jul 28, 8:13 pm, André <andre.robe...@gmail.comwrote:
A security hole has been uncovered in Crunchy (version 0.9.1.1 and
earlier).

Anyone using Crunchy to browse web tutorials should only visit sites
that are trustworthy.

We are working hard at fixing the hole; a new release addressing the
problems that have
been found should be forthcoming shortly.

André


Jul 30 '07 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

38
by: Tim Tyler | last post by:
Here's what this morning's security advisory read here: ``In the last 3 months we have noticed an marked increase in the number of web-server attacks and successful compromise on our network....
0
by: PayPal | last post by:
<HTML> <HEAD> <META NAME="GENERATOR" Content="Microsoft DHTML Editing Control"> <TITLE></TITLE> </HEAD> <BODY> <STYLE type=text/css> ..dummy {} BODY, TD {font-family:...
0
by: jwoolard | last post by:
Version 0.7 of Crunchy has been released. It is available on Sourceforge (http://sourceforge.net/project/showfiles.php?group_id=169458) Crunchy, the Interactive Python Tutorial Maker, is an...
0
by: Anthony Baxter | last post by:
SECURITY ADVISORY Buffer overrun in repr() for UCS-4 encoded unicode strings http://www.python.org/news/security/PSF-2006-001/ Advisory ID: PSF-2006-001 Issue Date: October 12, 2006...
3
by: =?iso-8859-1?B?QW5kcuk=?= | last post by:
Version 0.8 of Crunchy has been released. It is available on http://code.google.com/p/crunchy/ Crunchy, the Interactive Python Tutorial Maker, is an application that transforms an ordinary...
1
by: =?iso-8859-1?B?QW5kcuk=?= | last post by:
Crunchy 0.9 has been released. It is available at http://code.google.com/p/crunchy What is Crunchy? Crunchy is a an application that transforms html Python tutorials into interactive session...
0
by: =?iso-8859-1?B?QW5kcuk=?= | last post by:
Crunchy 0.9.1 has been released. It is available at http://code.google.com/p/crunchy Note that, if you have downloaded version 0.9 or version 0.9.0.1 you likely will not need to download this...
0
by: =?ISO-8859-1?Q?Andr=E9?= | last post by:
Crunchy is an application that transforms static (text based) Python tutorials into interactive Python sessions within your browser. Since the last announcement on this list, there has been 6 new...
0
by: =?ISO-8859-1?Q?Andr=E9?= | last post by:
Hi everyone, Crunchy version 1.0 alpha 1 has been released. Crunchy is an application that transforms normally static Python tutorial (html files, or reStructuredText ones - if docutils is...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
0
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
0
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
0
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
0
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.