Franklin DeMatto said:

> My question for the list is as follows: What did I miss? Most of the real
> damage in my list can be eliminated with just a few lines of extra code -
> the major problem being that most CGI programmers don't know/care. But I'm
> sure there are some other problems, harder to exploit but harder for the
> programmer to avoid as well, that are out there. Anyone . . . ?

I think what's happened is that CGI programmers, for the most part, just
didn't get the idea of secure programming.

The documentation for, and discussion of, avoiding various exploit methods
has been around since the CGI spec was on a page at hoohoo.ncsa.uiuc.edu.
It's just very few CGI authors bothered reading or comprehending it.

There's even a "perlsec" manual page, and a section of the Perl FAQ,
devoted to it.

People who write traditional UNIX daemon code, for the most part, had a
bit of this knowledge; but writing CGIs (which essentially have the same
access to the host system as traditional UNIX daemons) is an order of
magnitude easier.

Just IMO...

Also, I would not pick out perl CGIs in particular. shell-script CGIs are
much worse ;) Seriously though -- has anyone looked into PHP or other
CGI languages? Do they fundamentally have better support for CGI
security?

--j.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]