基于 CGI 的 Web 应用程序的安全性如何?
使用 CGI 的一个众所周知的主要缺点是网络服务器性能较差。 但是基于 CGI(主要是 C/C++)的应用程序的安全性如何? 基于C/C++构建的CGI架构是否存在重大安全漏洞?
我想了解一些基于 CGI 的网络应用程序/网站的现实生活实现。 我所知道的一个是 javaranch.com。
A very well known major drawback of using CGI is poor webserver performance. But how secure are CGI (mainly C/C++) based applications? Are there any major security holes in CGI architecture built on C/C++?
I would like to know some real life implementations of CGI based web apps/web sites. One that I know of is javaranch.com.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我在任何地方(包括 C/C++)都会看到的主要安全漏洞是不使用标准的开放 CGI 库,不阅读其文档,并认为无论如何都是安全的。
安全总是多方面的,而且总是不完整的。 各种软件中一直都存在漏洞——以前可能被认为是安全的软件。 与 15 年前相比,现在我们拥有更多的安全最佳实践。 我们还有 SELinux 来提高安全性。
当然,问题是——你的应用程序有足够的安全性吗? 合理的努力能否为您带来合理的安全级别? 当然,这就是为什么我不使用 C/C++,而是使用 Perl。 与在 C++ 中相比,在 Perl 中确保不覆盖内存需要花费更少的精力。 这是一个不涉及实际工作的安全级别。
The major security hole I would see anywhere, C/C++ included, would be not using a standard, open CGI library, not reading its documentation, and thinking you're secure anyway.
Security is always multi-faceted, and always incomplete. There are holes being found in all sorts of software all the time - software that may have been previously thought secure. And now we have many more best-practices for security than we did, say, 15 years ago. And we have SELinux for more security.
Of course, the question is - do you have enough security for your app? Does a reasonable effort get you a reasonable level of security? Of course, that's why I don't use C/C++, but I use Perl instead. It takes a lot less effort to ensure I don't overwrite memory in Perl than it does in C++. That's a level of security right there with no actual work involved.
CGI 并不比任何其他 WSAPI 更不安全。 一切都与程序如何处理代码有关。 CGI 所做的只是设置环境变量并处理程序。
CGI is no more insecure than any other WSAPI. It's all about what the program does with the code. All CGI does is set environment variables and handles off to the program.
许多网站都是基于 CGI 的。 许多位于主机上的 PHP 站点都以 CGI 模式运行 - mod_php 很难在共享环境中使用 - 没有 suid。
一般来说,作为 CGI 运行的性能较低,但安全性更好 - 您无法访问 Web 服务器内部(如 mod_perl 和 mod_php),因此使用漏洞更困难。 如果您使用 cgi-bin,则非执行文件是不可见的(PHP 程序员的一个常见错误是他们拥有扩展名为 .inc 的库,因此直接请求该文件时会显示源代码)。
Many sites are CGI based. Many PHP sites that are located on hosting are run in CGI mode - mod_php is hard to used in shared environment - no suid.
In general, running as CGI has lower performance, but better for security - you have no access to webserver internals (as with mod_perl and mod_php) so using vulnerabilities is harder. If you use cgi-bin, you non-execute files are not visible (a common bug of PHP programmers is that they have libraries with extension like .inc so source is shown when this file is requested directly).
Perl 的污染检查模式提供了一种提高安全性的奇妙方法。
Perl's taint-checking mode provides a marvelous way to increase security.