Alex Lambert wrote:

> > "There is no such thing as dangerous functions, only dangerous
> > developers."*
>
> Perl's print statement is safe, right? No buffer overflows *there*...
>
> print 'Hello, '.$query->param('name');
>
> Except now I'm vulnerable to cross-site scripting :)

Languages which allocate memory automatically generally aren't
vulnerable to buffer overflows. OTOH, they tend to be more susceptible
to DoS attacks. E.g. a function which reads "one line" of input may
just keep reading data until it exhausts available memory.

Also "scripting" languages (those which make extensive use of textual
substitution) tend to be prone to "metacharacter injection" attacks.
This applies heavily to sh/bash/csh/etc (and hence to anything that
uses them, e.g. C's system() function and similar) and substantially
to Tcl (particularly for "eval"). There are also aspects of other
languages for which it's a problem, e.g. perl's backticks and the
open() function.

--
Glynn Clements <glynn.clements (at) virgin (dot) net [email concealed]>

[ reply ]