Saturday, July 28, 2007

Crunchy Security Advisory

A security hole has been uncovered in Crunchy (version 0.9.1.1 and earlier).

Anyone using Crunchy to browse web tutorials should only visit sites that are trustworthy.

We are working hard at fixing the hole; a new release addressing the problems that have been found should be forthcoming shortly.

-----

The security problem is as follows:

In theory, a web page could contain some javascript code (or link to such code) that would bypass Crunchy's filter to be executed by the browser. If that is the case, the javascript code could be designed to send some Python code directly to the Python backend (i.e. without the Crunchy user pressing a button, or having the chance to view the code to be executed) so that it is executed. Such code could result in deleting the entire files or installing some virus on the user's machine.

At the moment, the risk is pretty low. Crunchy already removes all obvious (and most non-obvious) javascript code, links to such code, etc. The holes found require the use of some uncommon combination of html and css code, with a particular knowledge of Firefox.

(Note that browsers other than Firefox are likely to be even more vulnerable).

Furthermore, Crunchy is not that well known that it is likely to be a target by a cracker that would 1) write a "tutorial" interesting enough to lure current Crunchy users (who, at this point, are likely to include only advanced Python users) and 2) write some fairly involved javascript code to bypass the second security layer (where the commands enabling communication between the browser and crunchy are made up of random string generated uniquely at each new Crunchy session).

If anyone is interested in security issues related to Crunchy, feel free to contact me directly.

No comments: