• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 30. Server-Side Security Issues > Scripts Versus Programs

Scripts Versus Programs

Shell scripts, Perl programs, and C executables are the most common forms that a CGI script takes, and each has advantages and disadvantages when security is taken into account. No single language is the best; depending on other considerations such as speed and reuse, each has a place. Nonetheless, there are some common elements to most server-side programs, including the following:

  • Although shell CGI programs are often the easiest to write, it can be difficult to fully control them because they usually do most of their work by executing other, external programs. This can lead to several possible pitfalls because your CGI script instantly inherits any of the security problems that those called programs have. The common UNIX utility awk has some fairly restrictive limits on the amount of data it can handle, for example, and your CGI program will be burdened with all those limits as well.

  • Perl is a step up from shell scripts. It has many advantages for CGI programming and is fairly secure. But Perl can offer CGI authors just enough flexibility to lull them into a false peace of mind. Perl is interpreted, for example, and this makes it easier for bad user data to be included as part of the code.

  • A third language option is C. Although C is popular for many uses, it's because of this popularity that many of its security problems are well known and can be exploited fairly easily. For example, C is bad at string handling; it does no automatic allocation or clean up, leaving coders to handle everything on their own. Many C programmers, when dealing with strings, set up a predefined space and hope that it is big enough to handle whatever the user enters. Robert T. Morris, the author of the infamous Internet Worm, exploited such a weakness in attacking the C-based sendmail program, overflowing a buffer to alter the stack and gain unauthorized access. The same can happen to your CGI program.


PREVIEW

                                                                          

Not a subscriber?

Start A Free Trial


  
  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint