Vulnerability Development mailing list archives
Re: C versus other languages, round 538 or so (Re: CGI scripts in sh)
From: Jonathan James <Jonathan () SECURITO SE>
Date: Sun, 24 Sep 2000 15:30:16 +0200
A well experienced C/C++ programmer knows how to avoid the black holes that exist in regards to buffer overflows/unexpected input. All you have to do is to structure and think through your software design thoroughly before you turn your idea into code. As for C v. Perl I would choose C. Why? Because Perl is an interpreted language, we don't know if there exists any flaw in the perl interpreter. When you create a CGI script using C you know what you get. The CGI scripts run faster offers more control and possibilities, you can distribute your CGI scripts without giving away the sourcecode. Jonathan http://www.securito.se From: "Bluefish (P.Magnusson)" <11a () GMX NET>
I use /bin/bash for a number of small CGI's, and I do dare to claim them secure. Why? They don't read any user input. They are more or less simple programs which filters command outputs into something I want to use on my homepages. However, bash is really not a language well suited for common CGIs. Why? 1. Generally hard to do a lot of things, limited language. 2. Not commonly used, alas lack of debugged libraries & guidelines. 3. Tricky to keep track on where shell-expansion is being done. Personly, I've coded quite little in C/C++, I mostly try to keep my knowledge up to date because I'm interested in the security topics it introduces. However, I've come to realize that C introduces hazards even highly skilled programmers cannot cope with, the avarage CGI programmer much less. As an example, I had a look on code from a C programmer I consider to be very intelligent and efficent (one of the better ones out there) and looking at the code I found a variaty of "dangerous" code. OK, there was nothing exploitable (I think) but a number of things that looked dangerous. If skilled programmers produce such dangerous code, there's no telling what the avarage programmer will do. Many programmers excuse poor code with "but this software will never be executed with elevated priviledges, so it cannot be exploited" which basicly is stupid assumption. The mpeg123 bug is merely an example of the general principle; none-priviledged applications can be exploited as well. It's only a question of how obvious and how hard the attack is. Back at your question, I'd say a CGI written in sh is a very, very bad idea in general. C is also a bad idea, unless you understand the common C problems and quite actively search your code for misstakes (it's not a question of what you write when you think about it, but what you write when you are tired, in a hurry, etc etc). perl is actually a quite good language, with many existing CGI libraries and security guidelines. IMHO, languages such as perl and php3 is close to ideal for writing scripts. It will still be a pain, checking against metachars, gaurd against null poison, perhaps filter out HTML tags and check http-referer to gaurd against cross-site linking attacks. But you do have a moderately good success chance :)
Current thread:
- CGI scripts in sh, (continued)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Mark Rafn (Sep 21)
- Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
- Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Crispin Cowan (Sep 21)
- Re: CGI scripts in sh Gordon Messmer (Sep 21)
- Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
- Re: CGI scripts in sh Crispin Cowan (Sep 23)
- Re: CGI scripts in sh -jf- (Sep 22)
- C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Bluefish (P.Magnusson) (Sep 27)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Jonathan James (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Reid Nichol (Sep 29)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsinsh) Adam Clarke (Sep 28)
- Re: C versus other languages, round 538 or so (Re: CGI scriptsin sh) Ben Galehouse (Sep 30)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Ben Galehouse (Sep 27)