Open Source Zealots Dowplay Danger Of Perl Flaw On ZDNet Talkbacks

TalkBack 11 of 30:: Next »; « Previous

Thread View
Flat View

Quoth Barbie: "Web dev is tough!": Here's the problem folks: web developers are too busy baking in new features, while remaining woefully uneducated with basic programming techniques. Make no mistake about it: this is a flaw in Perl. I love Perl to pieces, used it for years. But read this article closely. There is a flaw in Perl within the string formatting functions that allows the user to control your system, if certain input is passed into it. In the case of Webmin, this software passes a string directly from the user to the formatting function, allowing a user of the Webmin program to exploit the Perl flaw.

Web development is probably one of the most difficult programming jobs out there, while appearing to be extremely easy. Unlike a desktop application, the programmer has zero control over anything that happens to the data before it gets to the server. You can put in all of the JavaScript checking that you want, it does not matter. You can have your form fields limit the size of the data, it does not matter. All it takes is for someone with a telnet client to pass arbitrary data to your software.

With that in mind, it is far too easy for a web developer to simply say 'SELECT * FROM SCHEMA.DATABASE WHERE ID' = . $_GET['id_code'] and guess what happens with the user passes an "ID Code" of "0 AND 1 = 1" ? They get all database results. Let's make it worse. Change that "ID Code" to "0 AND 1 = 1; DROP TABLE SCHEMA.DATABASE;". Boom, your database is gone. This is known as a SQL injection attack. This kind of thing is NOT, I repeat, NOT discussed in your computer science courses! It is NOT mentioned in the help files of your compiler! It is rarely mentioned!

The primary, number one rule for any, ANY web development project is: Never. Trust. The. Input. Period.

I cannot stress that enough. The people who wrote Webmin obviously forgot it. Modern web application frameworks completely expose the user's input to you, without a tainting mechanism. They count on you, the developer, to properly examine that input and determine if it is malicious input based upon the context that you will be using it in.

There are simply too many second rate programmers releasing software that has enough functionality to make them widely adopted, but are so poorly written that anyone with some time on their hands and a bit of knowledge could drive a truck through the application and destroy it, user's data, and possibly take over the entire server. The Web 2.0 crowd, the AJAX crowd, all of the SaaS crowd, the thin client crowd, all of these people need to wake up to this fact. Web application frameworks and web application development techniques are still in their infancy, and by-and-large are not ready for enterprise-class computing.

J.Ja; Posted by: Justin James Posted on: 11/30/05 You are currently: a Guest | Members login | Terms of Use