Vulnerability Development mailing list archives
Re: CGI scripts in sh
From: Crispin Cowan <crispin () WIREX COM>
Date: Thu, 21 Sep 2000 01:08:39 -0700
Crypteria wrote:
I got a question concerning CGI scripts, i've been told that sh scripts are way more insecure than perl or c/c++ scripts. I find great to use the power of shell scripting and the ability to use commands in scripts and I just wondered why they could be more insecure ? After all, a good shell scripts can be flawless just as a bad perl script can be dangerous...
Badly written CGI scripts are dangerous, because the CGI script (presumably) has access to files that you care about. A good programmer can make a safe CGI script in any language, including FORTRAN (yes, it's been done). The choice of language affects how easy or hard it is for a weaker programmer to write safe code. The major threat to CGIs is that they can be given truly arbitrary input: the attacker can supply any data they want to the CGI script, and it is up to the program to parse, slice and dice it in a safe fashion. Each of Perl, sh, and C/C++ have their strengths & weaknesses. None of them is particularly safe. If you want a particulalry safe CGI language, consider Java servlets: they at least have strong type safety. Here's some commentary on each of the languages you mention. Something to offend everyone :-) * sh: no real advantages. Hard to debug. Easy to screw up quoting/escape character issues. * Perl: o Advantages: Ubiquity in web CGI environment. Can use the 'taint' feature to detect whether an input has been filtered for sanity. o Disadvantages: The kitchen sink philosophy has resulted in 5 different ways to do any one thing, which means the odds of a code auditor being able to read the code are greatly diminished. Despite the taint facility, Perl scripts are still likely to have problems with quoting/escape characters. * C: God's own portable macro assembler. Do not confuse C with a high level language. o Advantages: Fast. o Disadvantages: Dangerous. For use only by experts. * C++: the performance of SmallTalk with the safety of C :-( o Advantages: None. It gives only the illusion of type safety. o Disadvantages: Many. Gives neither performance nor safety. C++ is literally good for nothing. Never use it. If you want OOP or rapid development, use Java. If you want performance, use C. Evidence: most Windows programs are written in C++ :-) Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org Olympics: The Corruption Games
Current thread:
- IP Spoofing with DHCP ? Skreel (Sep 17)
- Re: IP Spoofing with DHCP ? Matthew S. Hallacy (Sep 18)
- Re: IP Spoofing with DHCP ? Alon Oz (Sep 18)
- Re: IP Spoofing with DHCP ? Nathan Einwechter (Sep 19)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Mark Rafn (Sep 21)
- Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
- Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Crispin Cowan (Sep 21)
- Re: CGI scripts in sh Gordon Messmer (Sep 21)
- Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
- Re: CGI scripts in sh Crispin Cowan (Sep 23)
- Re: CGI scripts in sh -jf- (Sep 22)
- C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)