C versus other languages, round 538 or so (Re: CGI scripts in sh)

["Bluefish (P.Magnusson)" <11a () GMX NET>]

I use /bin/bash for a number of small CGI's, and I do dare to claim them
secure. Why? They don't read any user input. They are more or less simple
programs which filters command outputs into something I want to use on my
homepages.

However, bash is really not a language well suited for common CGIs. Why?
  1. Generally hard to do a lot of things, limited language.
  2. Not commonly used, alas lack of debugged libraries & guidelines.
  3. Tricky to keep track on where shell-expansion is being done.

Personly, I've coded quite little in C/C++, I mostly try to keep my
knowledge up to date because I'm interested in the security topics it
introduces. However, I've come to realize that C introduces hazards even
highly skilled programmers cannot cope with, the avarage CGI programmer
much less.

As an example, I had a look on code from a C programmer I consider to be
very intelligent and efficent (one of the better ones out there) and
looking at the code I found a variaty of "dangerous" code. OK, there was
nothing exploitable (I think) but a number of things that looked
dangerous. If skilled programmers produce such dangerous code, there's no
telling what the avarage programmer will do.

Many programmers excuse poor code with "but this software will never be
executed with elevated priviledges, so it cannot be exploited" which
basicly is stupid assumption. The mpeg123 bug is merely an example of the
general principle; none-priviledged applications can be exploited as well.
It's only a question of how obvious and how hard the attack is.

Back at your question, I'd say a CGI written in sh is a very, very bad
idea in general. C is also a bad idea, unless you understand the common C
problems and quite actively search your code for misstakes (it's not a
question of what you write when you think about it, but what you write
when you are tired, in a hurry, etc etc).

perl is actually a quite good language, with many existing CGI libraries
and security guidelines. IMHO, languages such as perl and php3 is close to
ideal for writing scripts. It will still be a pain, checking against
metachars, gaurd against null poison, perhaps filter out HTML tags and
check http-referer to gaurd against cross-site linking attacks. But you do
have a moderately good success chance :)

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

             http://www.eff.org/cafe

On Thu, 21 Sep 2000, Crypteria wrote:

> I got a question concerning CGI scripts, i've been told that sh scripts are
> way
> more insecure than perl or c/c++ scripts. I find great to use the power of
> shell
> scripting and the ability to use commands in scripts and I just wondered why
> they could be more insecure ? After all, a good shell scripts can be
> flawless
> just as a bad perl script can be dangerous...