You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rhino <rh...@sympatico.ca> on 2004/09/30 20:55:45 UTC
Security of Servlets
We are giving some thought to putting a CGI-based Wiki, specifically OddMuse, on a website that runs on a Linux server. In 'Using Linux (Fourth Edition)', the authors warn that "The biggest cause for concern about protecting your site from external threats is CGI scripts." They go on to suggest various precautions that will reduce the risk.
This has me wondering if servlets are equally insecure or have a much stronger security model. I also have Jason Hunter's 'Java Servlet Programming (Second Edition)' which has a 30 page chapter on Security that details how various forms of authentication take place in servlets. However, I can't find any categorical statement that says servlets are actually any more secure than CGI.
I was wondering if someone with extensive experience with the security aspects of both servlets and CGI can give me any sense of which is more secure and why? I need this information so that we can choose the right approach for our wiki.
Also, if servlets are more secure than CGI, is anyone aware of a wiki that runs as a servlet, preferably open source?
Rhino
---
rhino1 AT sympatico DOT ca
"There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies." - C.A.R. Hoare
Re: Security of Servlets
Posted by QM <qm...@brandxdev.net>.
On Thu, Sep 30, 2004 at 02:55:45PM -0400, Rhino wrote:
: We are giving some thought to putting a CGI-based Wiki, specifically OddMuse,
: on a website that runs on a Linux server. In 'Using Linux (Fourth Edition)',
: the authors warn that "The biggest cause for concern about protecting your
: site from external threats is CGI scripts." They go on to suggest various
: precautions that will reduce the risk.
:
: This has me wondering if servlets are equally insecure or have a much stronger
: security model.
The authors of that book may have said "CGI" but what they probably
meant, in a larger scheme, was "executables and other server-side
dynamic content."
Web servers that only dish out static content are tougher to crack (in a
certain sense) because they have a fairly rigid set of permissible
values: either the specified file exists under the doc root, or it
doesn't.
Executables and other server-side dynamic content( CGI, servlets/JSPs,
PHP, etc) permit end-users to interact with the server in a different
way: they must process user input, and in doing so, watch out for
malformed values.
So, other than a denial-of-service attack caused by flooding a CGI-based
service with requests (i.e. filling the process table as each httpd
process fork()s to spawn a new CGI child), there's not a whole lot of
difference between CGI, PHP, Java, etc.
: However, I can't find any
: categorical statement that says servlets are actually any more secure than
: CGI.
See above. ;)
: I was wondering if someone with extensive experience with the security aspects
: of both servlets and CGI can give me any sense of which is more secure and
: why? I need this information so that we can choose the right approach for our
: wiki.
See above. ;)
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Security of Servlets
Posted by Hassan Schroeder <ha...@webtuitive.com>.
Rhino wrote:
/* others having responded to the first issue(s), I'll just confine
myself to this one :-) */
> is anyone aware of a wiki
> that runs as a servlet, preferably open source?
You might look at JSPWiki -- <http://www.jspwiki.org/>
FWIW!
--
Hassan Schroeder ----------------------------- hassan@webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org