Vulnerability Development mailing list archives
Re: CGI scripts in sh
From: Gordon Messmer <yinyang () EBURG COM>
Date: Thu, 21 Sep 2000 00:58:15 -0700
On Thu, 21 Sep 2000, Crypteria wrote:
I got a question concerning CGI scripts, i've been told that sh scripts are way more insecure than perl or c/c++ scripts. I find great to use the power of shell scripting and the ability to use commands in scripts and I just wondered why they could be more insecure ? After all, a good shell scripts can be flawless just as a bad perl script can be dangerous...
The difference is primarily that sh scripts are entirely evaluated commands, where that is usually not the case with other languages. What I mean by that is every line of a shell script is expanded and evaluated by the shell before it is executed. That makes it a lot easier to slip something like :: this_val `cat /etc/passwd ; echo` into some form input and expect the shell to execute that code. Any place a variable is expanded, the ticks will be expanded, too, probably writing your password file back to a mailicious user. You have two real problems using shell for CGI. The first is that unlike Perl, you don't have the easy manipulation of input. You also haven't got "taint" mode to tell you when you need to check input. This makes it harder to properly escape or clean up the data that users send you. Plus, if you evaluate the input and store the result, your quoting could easily be undone. It's the nature of the shell. The second problem, as I sorta illustrated above is that any variable (that's your input) can easily become a command statement. In other languages you have to be very explicit to acheive such a result. Shell scripting has no advantages over Perl, really. In almost all cases a shell script will take longer to write (especially to write correctly), take longer to execute, and you can't _TRUST_ it because variables get evaluated as commands too easily. The "ability to use commands in scripts" is present in Perl, just as it is in the shell. Yes, you can write a bad cgi in any language. You can probably write a good CGI in any language, too. shell scripting, however, is inherently more dangerous than pretty much anything else you'd use to create cgi's. MSG
Current thread:
- IP Spoofing with DHCP ? Skreel (Sep 17)
- Re: IP Spoofing with DHCP ? Matthew S. Hallacy (Sep 18)
- Re: IP Spoofing with DHCP ? Alon Oz (Sep 18)
- Re: IP Spoofing with DHCP ? Nathan Einwechter (Sep 19)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Mark Rafn (Sep 21)
- Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
- Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Crispin Cowan (Sep 21)
- Re: CGI scripts in sh Gordon Messmer (Sep 21)
- Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
- Re: CGI scripts in sh Crispin Cowan (Sep 23)
- Re: CGI scripts in sh -jf- (Sep 22)
- C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Bluefish (P.Magnusson) (Sep 27)