Vulnerability Development mailing list archives

Re: CGI scripts in sh

From: Gordon Messmer <yinyang () EBURG COM>
Date: Thu, 21 Sep 2000 00:58:15 -0700

On Thu, 21 Sep 2000, Crypteria wrote:

I got a question concerning CGI scripts, i've been told that sh
scripts are way more insecure than perl or c/c++ scripts. I find great
to use the power of shell scripting and the ability to use commands in
scripts and I just wondered why they could be more insecure ? After
all, a good shell scripts can be flawless just as a bad perl script
can be dangerous...


The difference is primarily that sh scripts are entirely evaluated
commands, where that is usually not the case with other languages.  What I
mean by that is every line of a shell script is expanded and evaluated by
the shell before it is executed.  That makes it a lot easier to slip
something like ::
        this_val `cat /etc/passwd ; echo`
into some form input and expect the shell to execute that code.  Any place
a variable is expanded, the ticks will be expanded, too, probably writing
your password file back to a mailicious user.

You have two real problems using shell for CGI.  The first is that unlike
Perl, you don't have the easy manipulation of input.  You also haven't got
"taint" mode to tell you when you need to check input.  This makes it
harder to properly escape or clean up the data that users send you.  Plus,
if you evaluate the input and store the result, your quoting could easily
be undone.  It's the nature of the shell.

The second problem, as I sorta illustrated above is that any variable
(that's your input) can easily become a command statement.  In other
languages you have to be very explicit to acheive such a result.

Shell scripting has no advantages over Perl, really.  In almost all cases
a shell script will take longer to write (especially to write correctly),
take longer to execute, and you can't _TRUST_ it because variables get
evaluated as commands too easily.  The "ability to use commands in
scripts" is present in Perl, just as it is in the shell.

Yes, you can write a bad cgi in any language.  You can probably write a
good CGI in any language, too.  shell scripting, however, is inherently
more dangerous than pretty much anything else you'd use to create cgi's.

MSG

Current thread:

IP Spoofing with DHCP ? Skreel (Sep 17)
- Re: IP Spoofing with DHCP ? Matthew S. Hallacy (Sep 18)
- Re: IP Spoofing with DHCP ? Alon Oz (Sep 18)
- Re: IP Spoofing with DHCP ? Nathan Einwechter (Sep 19)
  - CGI scripts in sh Crypteria (Sep 20)
    - Re: CGI scripts in sh Mark Rafn (Sep 21)
    - Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
    - Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
    - Re: CGI scripts in sh Crispin Cowan (Sep 21)
    - Re: CGI scripts in sh Gordon Messmer (Sep 21)
    - Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
    - Re: CGI scripts in sh Crispin Cowan (Sep 23)
    - Re: CGI scripts in sh -jf- (Sep 22)
    - C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
    - Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
    - Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)
    - Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Bluefish (P.Magnusson) (Sep 27)

(Thread continues...)