[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: two good poems -> JSP/Perl/PHP/C/CGI etc etc for www

>>>>> "Amit" == Amit Soni <amitsoni@xxxxxxxxxxxx> writes:

    Amit> [snip]
    Amit> BTW my question still stands ...why is C/C++ risky ?? for
    Amit> CGI applications.

Languages like Perl and Java do dynamic allocation of memory for
strings, unlike C/C++ where the programmer has to define the size of
each string in advance.  Thus in C and C++ it's easy to find programs
written by careless programmers where string buffers and stacks can be
overflowed by sending data larger than the programmer anticipated,
which can in turn lead to serious security problems.

I don't have the exact statistics, but my guess would be that about
75% of all vulnerabilities reported in Linux and Winduhs over the past
year have been due to buffer overflow problems, all in programs
written in C/C++.

I'm not bringing SuidPerl and Taint mode into this discussion --
that's another story altogether (man perlsec for details).


-- Raju
Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/