Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Ovid, compliments on a great post..I know I'll be following any discussion on this thread with great interest

I have a few CGI scripts for the company that I work for, and I have recently come up against the same problem (I actually didn't want to install Perl on the webservers, so I took the really lazy way out and compiled the scripts into executables..), performance is an issue now, though, and both the compiled executables and conventional CGI scripts fail various load tests.. because of my employers committment to a Microsoft based server platform, I am also considering a move to ISAPI..

I wasn't aware of a tainting issue with ISAPI, but I can see one way around it...if the production and development servers are separated, because performance is not a big issue in the development servers, run Apache for Win32 and mod_perl and/or CGI scripts, and enable tainting... if a good test suite can be built (you really do need a separate QA unit, possibly running their own webservers, if needed), and if all the obvious taint checks are passed in the development servers, then, you can "promote" the script to run on the ISAPI based production servers (even with taint checks turned off)..

Its by no means a perfect solution, but given the restrictions which you have to work with (and these restrictions are the same ones that I work under as well), its the only way to ensure that some level of security checks are passed before a script runs in a production server...

Might I also add that nessus is a particularly useful piece of software for running automated security checks on servers.. it can't catch everything of course, but it does probe servers for the more common types of CGI and server vulnerabilities..

In reply to Re: Alternatives to Taint Checking? by tinman
in thread Alternatives to Taint Checking? by Ovid

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others taking refuge in the Monastery: (5)
    As of 2018-04-22 17:23 GMT
    Find Nodes?
      Voting Booth?