Peter Faulks wrote:
> I've been offered a job to write a CGI programme.
>
> The client's ISP has a company policy against the use of PHP.
> Are there known security issues with PHP?
Tele-housing perhaps? Then you can install Apache + SSL
+ PHP + mod_perl + Mysql. A killer machine you own and control.
And can guarantee security for your client.
The danger with scripting on a web server (PHP,perl,CGI in general)
is that there are undiscovered exploits lurking to bite you. An ISP's
web server might be multi-purpose and hold sensitive data for
client sites that is strictly controlled through CGI's owned and
controlled by the ISP's staff and consultants. It is safer this way.
> Also, are there any security issues with fast cgi (Apache/mysql)?
> I had a quick look at the source, it seems to me there are a few
> places where buffer overrun could be induced, but I haven't really
> had a good look yet.
You'll have to look much further than string manipulation and
obvious buffer overflows.
For example, it was discovered last year that certain exploits were
possible with perl by passing carefully crafted strings containing
a NULL byte between inoccuous content and a nasty system expoloit.
perl ignores the NULL byte in the string, but the underlying system
is written in C, where a NULL byte is a string terminator. Thus, perl
could inadvertently pass a buffer overflow on to a system routine.
Then there are race conditions in every part of the system, subtle
internal configuration errors, the complex interplay of all the installed
server components and general lack of proper security in the web server
installs that make provision of CGI to the general world daunting.
Safer to disallow public CGI scripting.
One solution I have had in the past is to get the staff of the
service provider to vet and install the scripts for me. If they'll
do it!
> 'The day Microsoft makes something that doesn't suck is the day
> they start making vacuum cleaners.'
Vapour vacuum cleaners from M$ .... ewwwwwwwwwwwww.
Cheers
RickW
--
Rick Welykochy || Praxis Services Pty Limited
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
