Vulnerability Development mailing list archives
Re: C versus other languages, round 538 or so (Re: CGI scripts in sh)
From: Ryan Masters <rmasters () GWI NET>
Date: Sun, 24 Sep 2000 10:32:10 -0400
Most security problems happened when a programmer wrongly ass/u/me'd things. Like the fact that uses you be able to pass direct variables. It may sound ignorant, but smashing the stack attacks exploit both poor programming and problems with the os dependant on the bounds checking of the program. Perl, perl, perl. It can do everything php can, and much much more. Ryan norml. On Sat, 23 Sep 2000, Bluefish (P.Magnusson) wrote:
I use /bin/bash for a number of small CGI's, and I do dare to claim them secure. Why? They don't read any user input. They are more or less simple programs which filters command outputs into something I want to use on my homepages. However, bash is really not a language well suited for common CGIs. Why? 1. Generally hard to do a lot of things, limited language. 2. Not commonly used, alas lack of debugged libraries & guidelines. 3. Tricky to keep track on where shell-expansion is being done. Personly, I've coded quite little in C/C++, I mostly try to keep my knowledge up to date because I'm interested in the security topics it introduces. However, I've come to realize that C introduces hazards even highly skilled programmers cannot cope with, the avarage CGI programmer much less. As an example, I had a look on code from a C programmer I consider to be very intelligent and efficent (one of the better ones out there) and looking at the code I found a variaty of "dangerous" code. OK, there was nothing exploitable (I think) but a number of things that looked dangerous. If skilled programmers produce such dangerous code, there's no telling what the avarage programmer will do. Many programmers excuse poor code with "but this software will never be executed with elevated priviledges, so it cannot be exploited" which basicly is stupid assumption. The mpeg123 bug is merely an example of the general principle; none-priviledged applications can be exploited as well. It's only a question of how obvious and how hard the attack is. Back at your question, I'd say a CGI written in sh is a very, very bad idea in general. C is also a bad idea, unless you understand the common C problems and quite actively search your code for misstakes (it's not a question of what you write when you think about it, but what you write when you are tired, in a hurry, etc etc). perl is actually a quite good language, with many existing CGI libraries and security guidelines. IMHO, languages such as perl and php3 is close to ideal for writing scripts. It will still be a pain, checking against metachars, gaurd against null poison, perhaps filter out HTML tags and check http-referer to gaurd against cross-site linking attacks. But you do have a moderately good success chance :) ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team http://www.eff.org/cafe On Thu, 21 Sep 2000, Crypteria wrote:I got a question concerning CGI scripts, i've been told that sh scripts are way more insecure than perl or c/c++ scripts. I find great to use the power of shell scripting and the ability to use commands in scripts and I just wondered why they could be more insecure ? After all, a good shell scripts can be flawless just as a bad perl script can be dangerous...
Current thread:
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh), (continued)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Reid Nichol (Sep 29)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Adam Clarke (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Ben Galehouse (Sep 30)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Ben Galehouse (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 27)
- Re: C versus other languages,round 538 or so (Re: CGI scripts in sh) Crispin Cowan (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Ryan Masters (Sep 24)
- Re: IP Spoofing with DHCP ? Matthew S. Hallacy (Sep 19)