Vulnerability Development mailing list archives
Re: CGI scripts in sh
From: -jf- <fergusoj () QUIK COM>
Date: Wed, 20 Sep 2000 20:41:34 +0000
the way i understand it ( and anyone can add to it, or correct my mistakes ) is a: i think security is a languange independant thing, and its more how its coded, then what language you used, to a degree of course ( e.g. not all languages have functions that dont do bounds checking, but then those that do, you can expliciting add them or use functions that automatically add them. ) b: i think the idea behind shell scripts being insecure is the ability to escape from them and give them output of the likes not intended...it is a shell afterall c: i believe a shell script owned by a normal user ( normal meaning a user that isnt a superuser or even has access to things such as your webserver...) is fairley safe, as safe as giving a user account to whoever is running it ( i would never use a shell script for cgi ( or any other type of remote application ) regardless of who owns it ) d: things like restricted shell and traps make things alot harder, along with like set -e where the script exits upon error..harder that is for a potential attacker...but never the less i would never dump any amount of security into any shell script ( on a side note im very weary of perl and such also its not just a shell scripting thing ) in conclusion, i think if used properly shell scripts can be somewhat secure, although like i pointed out it is essentialy a shell spitting out canned commands..i myself havent written to much in shell scripts, but have been playing with them lately...and have not really played with the security idea's behind them also...I do know certain ( if not all ) linux distros ( I dont know if its a distro thing or a kernel thing which would make it distro independant ) wont allow suid root shell scripts for obvious reasons. i hope this expalined things a tad bit, i doubt they did as i hardly understand it myself...just think of the consequences quotes slashs and other character could have on certain functions/command/variables. the point is nothing is flawless, regardless of language -jf- Crypteria wrote:
I got a question concerning CGI scripts, i've been told that sh scripts are way more insecure than perl or c/c++ scripts. I find great to use the power of shell scripting and the ability to use commands in scripts and I just wondered why they could be more insecure ? After all, a good shell scripts can be flawless just as a bad perl script can be dangerous...
Current thread:
- Re: IP Spoofing with DHCP ?, (continued)
- Re: IP Spoofing with DHCP ? Alon Oz (Sep 18)
- Re: IP Spoofing with DHCP ? Nathan Einwechter (Sep 19)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Mark Rafn (Sep 21)
- Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
- Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Crispin Cowan (Sep 21)
- Re: CGI scripts in sh Gordon Messmer (Sep 21)
- Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
- Re: CGI scripts in sh Crispin Cowan (Sep 23)
- Re: CGI scripts in sh -jf- (Sep 22)
- C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Reid Nichol (Sep 29)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Adam Clarke (Sep 28)