These five programming languages have flaws that expose apps to attack

Securely-developed apps may be at risk due to security issues in popular interpreted programming languages.
Written by Liam Tung, Contributing Writer

Even software that has been built with secure development procedures may still be vulnerable to attack, due to flaws in the interpreted programming languages they depend on.

IOActive researcher Fernando Arnaboldi revealed at last week's Black Hat Europe conference that serious flaws in interpreters for five popular programming languages put applications parsed by them at risk.

Arnaboldi found, for example, that Python has "undocumented methods and local environment variables that can be used for OS command execution".

TechRepublic: 7 programming languages that every developer should learn in 2018

NodeJS, a JavaScript interpreter, meanwhile could leak file contents through error messages it outputs, while JRuby, the Java implementation of Ruby, "loads and executes remote code on a function not designed for remote code execution".

For Perl, Arnaboldi cites the ability of its typemaps function, included in its default set of modules, to execute code. While in PHP, certain native functions can be passed a constant's name to perform a remote command execution.

He believes these vulnerabilities may have been caused by attempts to simplify software development.


The language vulnerabilities are suspected of having been caused by attempts to simplify software development.

Image: Getty Images/iStockphoto

"The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters," he noted.

"With regards to the interpreted programming languages vulnerabilities, software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee. Some of these behaviors pose a security risk to applications that were securely developed according to guidelines," wrote Arnaboldi.

The researcher discovered the flaws using the XDiFF, a 'differential fuzzer' he created and targeted at several interpreters for different languages.

For JavaScript, targets included Google's v8 JavaScript engine, and Microsoft's ChakraCore equivalent, Mozilla's SpiderMonkey, and NodeJS, and Node-ChakraCore.

In PHP, he fuzzed PHP and HHVM, while for Ruby the targets included Ruby and JRuby. He also fuzzed Perl, ActivePerl, CPython, PyPy, and Jython.

As he's previously pointed out, the research shows that applications can suffer from security issues when using certain features from programming languages.

"There are a number of possibilities to be abused in different implementations that could affect secure applications. There are unexpected scenarios for the interpreted programming languages parsing the code in JavaScript, Perl, PHP, Python and Ruby," Arnaboldi wrote.

Previous and related coverage

Most loathed programming language? Here's how developers cast their votes

Developers on Stack Overflow really don't want to work in Perl and don't like Microsoft much either.

Which programming languages earn you the most money? Use this calculator to check

Find out how much your skills are worth in North America and Europe.

Read more developer stories

Editorial standards