Vulnerability Development mailing list archives
Re: CGI scripts in sh
From: Crispin Cowan <crispin () WIREX COM>
Date: Thu, 21 Sep 2000 01:08:39 -0700
Crypteria wrote:
I got a question concerning CGI scripts, i've been told that sh scripts are way more insecure than perl or c/c++ scripts. I find great to use the power of shell scripting and the ability to use commands in scripts and I just wondered why they could be more insecure ? After all, a good shell scripts can be flawless just as a bad perl script can be dangerous...
Badly written CGI scripts are dangerous, because the CGI script (presumably)
has access to files that you care about.
A good programmer can make a safe CGI script in any language, including FORTRAN
(yes, it's been done). The choice of language affects how easy or hard it is
for a weaker programmer to write safe code.
The major threat to CGIs is that they can be given truly arbitrary input: the
attacker can supply any data they want to the CGI script, and it is up to the
program to parse, slice and dice it in a safe fashion.
Each of Perl, sh, and C/C++ have their strengths & weaknesses. None of them is
particularly safe. If you want a particulalry safe CGI language, consider Java
servlets: they at least have strong type safety.
Here's some commentary on each of the languages you mention. Something to
offend everyone :-)
* sh: no real advantages. Hard to debug. Easy to screw up quoting/escape
character issues.
* Perl:
o Advantages: Ubiquity in web CGI environment. Can use the 'taint'
feature to detect whether an input has been filtered for sanity.
o Disadvantages: The kitchen sink philosophy has resulted in 5
different ways to do any one thing, which means the odds of a code
auditor being able to read the code are greatly diminished. Despite
the taint facility, Perl scripts are still likely to have problems
with quoting/escape characters.
* C: God's own portable macro assembler. Do not confuse C with a high
level language.
o Advantages: Fast.
o Disadvantages: Dangerous. For use only by experts.
* C++: the performance of SmallTalk with the safety of C :-(
o Advantages: None. It gives only the illusion of type safety.
o Disadvantages: Many. Gives neither performance nor safety. C++ is
literally good for nothing. Never use it. If you want OOP or rapid
development, use Java. If you want performance, use C. Evidence:
most Windows programs are written in C++ :-)
Crispin
--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
Olympics: The Corruption Games
Current thread:
- IP Spoofing with DHCP ? Skreel (Sep 17)
- Re: IP Spoofing with DHCP ? Matthew S. Hallacy (Sep 18)
- Re: IP Spoofing with DHCP ? Alon Oz (Sep 18)
- Re: IP Spoofing with DHCP ? Nathan Einwechter (Sep 19)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Mark Rafn (Sep 21)
- Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
- Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Crispin Cowan (Sep 21)
- Re: CGI scripts in sh Gordon Messmer (Sep 21)
- Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
- Re: CGI scripts in sh Crispin Cowan (Sep 23)
- Re: CGI scripts in sh -jf- (Sep 22)
- C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)