Secure Coding mailing list archives

Re: Scripting Languages and Secure Coding

From: "M. Buchzik" <Michael () buchzik de>
Date: Wed, 03 Dec 2003 17:35:17 +0000


Hi,
now I'm getting interested ;)

Bob Toxen wrote:


I've read about so many security bugs in php (as compared to, say, C or perl)
that I recommend that my clients do not use it.  "But it's so easy."

Do you mean security flaws in applications (e.g. like the "never ending 
story" of phpnuke) or php itself?
There have been lots of updates of php since, but when compared to perl, 
you might also count security flaws in perl modules like in CGI.pm 
lately (since most enhancements in php are built in as 'extensions' and 
'count' to php).

( http://www.securityfocus.com/archive/1/330101 )

To quote you (or your customers), in my opinion php is _too_ easy! The 
effect?
Too many people start through in programming and so are causing these 
negative side effects (and that's just it):

- a webserver gets compromised (directory traversal, data access)
- a database gets crashed (sql injection)
- the whole appication gets compromised ( 
http://www.php.net/manual/en/security.registerglobals.php )

- A client of the application gets compromised (XSS)
- Spam gets set free to the world's mailboxes

But IMHO this is all up to the programmer and not the coding language 
itself (sorry, i can't say anything about shell scripting like bash or 
tcsh, since my level there is just enough to create an init script).
This all can also happen with other programming languages! (example: 
formmail.cgi|pl , or Java http://www.securityfocus.com/archive/1/340366 )
(I've heard something about java webstart lately, but can't find it in 
moment)


Methods of taint checking are nearly equal in php an perl ( e.g. 
http://www.php.net/manual/en/ref.pcre.php or 
http://www.php.net/manual/en/function.is-numeric.php ) (have a look at 
the first comment on is_numeric()!).

For example, with this funcion I would feel absolutely secure:
if (is_numeric($_GET['count'])) {
 // Insert $_GET['count'] into Database ...
 // alternatives: is_int(), is_float(), ... what ever needed
}

Unfortunately, the most often found function in the web would look like 
this:

if ($count) {
 // Insert my sql injection ...
}

But your opinion to "avoid all scripting languages" is an interesting one ;)
Isn't it just the compile _time_ the difference between "interpreted" 
and "compiled" programming languages?


But what I'm missing, is a code analyzer to report possible security 
flaws in php or perl ...


Greetings,
Michael Buchzik

Current thread:

Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
  - Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
    - RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
  - Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
    - Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
    - Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
    - RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
    - Re: Scripting Languages and Secure Coding + code ck (Dec 08)

(Thread continues...)