|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Christopher Todd (chris
christophertodd.com)Date: Mon Mar 25 2002 - 21:19:47 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>assuming your webserver is coded perfectly w/ no
>BOs....and all the mods that allow for different
>webApp langs to work are also coded
>correctly.....then as I understand it the only way to BO
>code would be if the CGIs were written in C/C++.
>
>Any webApps written in PHP/ASP(jscript,C#)/JSP
>would have features in the langs themselves that
>prevent one from assigning a static mem buffers.
In the context of coding up web applications, yes, the classic
"smashing the stack for fun and profit" buffer overflows are only
possible if your CGIs are written in C/C++ (probably - never say
never in security :). Most of the languages used for web application
development nowadays (Java, Perl, PHP, Python, VBScript, etc.) are
interpreted languages in which the interpreter handles all the memory
allocation, thus preventing the programmer from shooting themselves
in the foot with unchecked buffers. Which is not to say that
developers using those languages have no ammo, mind you...
>excuse my ignorance...as I don't know enough about
>BOs as I should
For some fun background reading on BOs, you can check out Phrack 49:
http://phrack.org/show.php?p=49&a=14
Regards,
Chris
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPJ/o0Q1yj8e2/NpyEQKB/gCg9mv4uhSjffbZIDaltkE0bhg3XuMAniKF
Rr3SLX8ywkhP+98xxHvgV6AL
=jH04
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]