Forums

Hi,

I want to ask how PythonAnywhere protects its users against File Inclusion Vulnerability? I have searched the forum for this but couldn't find any mention of it. I'm asking because in the last 2 days I got increased traffic and when I checked the server logs I got plenty of these kind of query string:

"GET /index.php?controller=../../../../../../../../../../../../../etc/passwd%00&option=com_properties HTTP/1.1"

"GET /lib///....//....//....//....//....//....//....//....//etc//passwd HTTP/1.1"

Then I searched about it and to my surprise it's about File Inclusion Vulnerability / Remote File Inclusion. The good thing is at the end of that query string it always ends with: 404 232 --> this means whoever trying to exploit did not succeed, correct?

I read this article about securing account: https://help.pythonanywhere.com/pages/SecuringYourAccount/ is there anything else we can do to prevent these kind of cyber attacks? I would like to know if there are methods to ensure security of the web app. Thanks.

Cheers!

Yes, 404 means that your web app returned "Page not found" error. The vulnerability could only work (to some extent, as your code runs in a sandbox) if your code was expecting an input from a parameter in the url, which in turn would be evaluated without a proper validation in a way that it would be shown in the html of dynamically created page. So, unless you're running some unknown code copied from the Internet, you'd need to put some conscious effort to make this happen. The other possibility of exposing your files stored on PythonAnywhere would be by static files mappings -- you can read more about it here. Otherwise, your files are as safe, as your account is safe (so basically all the hints from the help page you referred to apply).