tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From QM <qm...@brandxdev.net>
Subject Re: Security of Servlets
Date Thu, 30 Sep 2004 19:17:01 GMT
On Thu, Sep 30, 2004 at 02:55:45PM -0400, Rhino wrote:
: We are giving some thought to putting a CGI-based Wiki, specifically OddMuse,
: on a website that runs on a Linux server. In 'Using Linux (Fourth Edition)',
: the authors warn that "The biggest cause for concern about protecting your
: site from external threats is CGI scripts." They go on to suggest various
: precautions that will reduce the risk.
: 
: This has me wondering if servlets are equally insecure or have a much stronger
: security model.

The authors of that book may have said "CGI" but what they probably
meant, in a larger scheme, was "executables and other server-side
dynamic content."

Web servers that only dish out static content are tougher to crack (in a
certain sense) because they have a fairly rigid set of permissible
values: either the specified file exists under the doc root, or it
doesn't.

Executables and other server-side dynamic content( CGI, servlets/JSPs,
PHP, etc) permit end-users to interact with the server in a different
way: they must process user input, and in doing so, watch out for
malformed values.

So, other than a denial-of-service attack caused by flooding a CGI-based
service with requests (i.e. filling the process table as each httpd
process fork()s to spawn a new CGI child), there's not a whole lot of
difference between CGI, PHP, Java, etc.


: However, I can't find any
: categorical statement that says servlets are actually any more secure than
: CGI.

See above. ;)


: I was wondering if someone with extensive experience with the security aspects
: of both servlets and CGI can give me any sense of which is more secure and
: why? I need this information so that we can choose the right approach for our
: wiki.

See above. ;)

-QM

-- 

software  -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message