Preserving Integrity
Don't Let Tainted Data Get You In a Jam
By Matt Curtin
With the attention security problems are getting these days, we're finding that our clients are increasingly interested in the details of the online systems we build for them. A number of security issues can affect applications written in languages like Perl, Python, and Tcl.
Scripting languages have a few important things in common. Because they're higher-level languages and don't provide the kinds of low-level manipulation that C does, they're not vulnerable to many of the same types of attacks. Yet, because many compilers and interpreters for scripting languages are implemented in C, a bug in the underlying implementation could possibly expose you to attack. But simple research on the vulnerabilities floating around will show you that these problems are rare, if not unheard of.
This doesn't mean that attacks against this type of language don't exist. For example, there are many examples of poorly written Perl code, particularly CGI programs, which expose the host to risks that wouldn't otherwise exist.
Evaluating Risk
The most common security problem with applications written in these languages is inappropriate handling of user-supplied data. Rather than overflowing an input buffer and sending a binary executable along with it—as one might do to crack a C program—these attacks center on the relative ease with which these languages can evaluate data.
