We are giving some thought to putting a CGI-based Wiki, specifically
OddMuse, on a website that runs on a Linux server. In 'Using Linux (Fourth
Edition)', the authors warn that "The biggest cause for concern about
protecting your site from external threats is CGI scripts." They go on to
suggest various precautions that will reduce the risk.

This has me wondering if servlets are equally insecure or have a much
stronger security model. I also have Jason Hunter's 'Java Servlet
Programming (Second Edition)' which has a 30 page chapter on Security that
details how various forms of authentication take place in servlets. However,
I can't find any categorical statement that says servlets are actually any
more secure than CGI.

I was wondering if someone with extensive experience with the security
aspects of both servlets and CGI can give me any sense of which is more
secure and why? I need this information so that we can choose the right
approach for our wiki.

Also, if servlets are more secure than CGI, is anyone aware of a wiki that
runs as a servlet, preferably open source?

Rhino
---
rhino1 AT sympatico DOT ca
"There are two ways of constructing a software design. One way is to make it
so simple that there are obviously no deficiencies. And the other way is to
make it so complicated that there are no obvious deficiencies." - C.A.R.
Hoare

"Rhino" <rhino1@NOSPAM.sympatico.ca> said:
>We are giving some thought to putting a CGI-based Wiki, specifically
>OddMuse, on a website that runs on a Linux server. In 'Using Linux (Fourth
>Edition)', the authors warn that "The biggest cause for concern about
>protecting your site from external threats is CGI scripts." They go on to
>suggest various precautions that will reduce the risk.
>
>This has me wondering if servlets are equally insecure or have a much
>stronger security model.

The risk depends largely on the implementation language of the said CGIs.
It also depends largely on the CGI code quality. F.ex., if the CGIs are
written as shell scripts, it may be very difficult to code them well
enough to prevent a dedicated attacker from being able to execute
arbitary shell commands. On the other hand, CGIs written in C may
have problems with memory allocation, allowing binary code injection
(i.e. provide the attacker with a way to supply machine code to run
on the server, in addition or instead of the actual CGI code). Naturally,
these attacks are limited by the user account and environment used to run
the CGI programs (unless the WWW server has other security bugs making
privilege escalation attacks possible).

With servlets, I'd guess the most common weak points are around 'sql
injection' -- i.e. database interfacing code done in a way that permits
an attacker to modify the performed database queries to do something
completely unexpected. Sql injection attacks are rather language-
agnostic, so they're in no way specific to software written in Java.

>However, I can't find any categorical statement that says servlets are
>actually any more secure than CGI.

.... mostly because they aren't. CGI as such isn't a security problem.
It's a more-or-less well-defined interface, and the CGI interface
definition itself doesn't contain security problems.
-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Rhino <rhino1@nospam.sympatico.ca> wrote:
> We are giving some thought to putting a CGI-based Wiki, specifically
> OddMuse, on a website that runs on a Linux server. In 'Using Linux (Fourth
> Edition)', the authors warn that "The biggest cause for concern about
> protecting your site from external threats is CGI scripts." They go on to
> suggest various precautions that will reduce the risk.
> 
> This has me wondering if servlets are equally insecure or have a much
> stronger security model. I also have Jason Hunter's 'Java Servlet
> Programming (Second Edition)' which has a 30 page chapter on Security that
> details how various forms of authentication take place in servlets. However,
> I can't find any categorical statement that says servlets are actually any
> more secure than CGI.

CGI programs (often implemented as scripts) are executed on the server.
When the web server is running as root, a programming error can destroy
the system. With various methods, this risk can be reduced to a reasonable
level.

Java Servlets are run within an application server. This is not inherently
more secure, but it does make it easier to secure it. Options are within
reach: OS user of the app server, policy file, ...

Note however: with a good security oriented mindset, securing Java
Servlets is at most a bit easier and just as secure as using CGI. The main
advantage lies in the sandboxed environment of Java, that allows you to
easily run applications within the same app server (even with conflicting
versions of libraries).



-- 
Oscar Kind                                    http://home.hccnet.nl/okind/
Software Developer                    for contact information, see website

PGP Key fingerprint:    91F3 6C72 F465 5E98 C246  61D9 2C32 8E24 097B B4E2