Yes, CGI isn't a [program and isn't insecure. The program behind it, how it's run (suid?) or whatnow it what matters. And, like jay mentioned, Perl has built in checks. Also, with Perl (and similar languages), there's no need to worry about buffer overflows, unless you really do something strange. Stay away from suid and such in Perl if you're not sure and you aren't vulnerable to buffer overflows, etc. -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting.
----- Original Message ----- From: "Jay D. Dyson" <[EMAIL PROTECTED]> To: "Security-Basics List" <[EMAIL PROTECTED]> Sent: Wednesday, July 02, 2003 10:06 AM Subject: Re: Ten least secure programs > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 30 Jun 2003, Chris Berry wrote: > > > >9) CGI (on a webserver, that is) > > > > Hmm, CGI is a bit tricky, but I don't think the underlying design is the > > problem, mostly implementation, which is why I didn't put it on this > > list. Somebody correct me if I'm wrong. > > CGI is one of those iffy things. If the program is written in C, > shell or some other language, then the risks inherent in those languages > (buffer overflows, arbitrary command execution, et al) must be factored > into the security equation. > > If the program is written in PERL, there are a number of built-in > security safeguards that can be activated to make the script more safe. > For starters, PERL has the 'taint' flag (-T) that will do some sanity > checking on data input and will abort the program if it is asked to handle > input that hasn't been sanitized. > > But in the final analysis, it's not the language used that dooms > you; it's the security practices (or rather the lack thereof) of the > programmer who wrote the CGI script. > > - -Jay > > ( ( _______ > )) )) .-"There's always time for a good cup of coffee"-. >====<--. > C|~~|C|~~| (>----- Jay D. Dyson -- [EMAIL PROTECTED] -----<) | = |-' > `--' `--' `Red meat isn't bad for you, fuzzy green meat is.' `------' > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE/AxEfNlg1oZSC9mkRApJ0AJsEAN3HkVdKRqdrda6xAZhKP4N1owCcD9Hp > +0MSMmnQp+xO1K97wsPsW5Y= > =ACC9 > -----END PGP SIGNATURE----- > > -------------------------------------------------------------------------- - > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------------------- -- > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
