Hacker News new | ask | show | jobs
by devy 2195 days ago 

   In SOHO devices like the R7000, the web server must parse user input 
   from the network and run complex CGI functions that use that input. 
   Furthermore, the web server is written in C and has had very little testing, 
   and thus it is often vulnerable to trivial memory corruption bugs.
I wonder why these network equipment manufacturers are still using CGIs in their firmware?! Is it because the MCUs they use in their hardwares are too weak to run modern version of the linux with reasonable choices to build a custom compiled version of the web server in Rust not C?
2 comments
user5994461 2195 days ago
They're running CGI and writing homemade web servers in C because they haven't maintained or upgraded their software in decades.

I don't think they are low power devices. My bet would be they're relatively normal hardware running a light linux. It takes quite a bit of power to route gigabit ethernet or ac wifi.

link
yjftsjthsd-h 2195 days ago
> They're running CGI and writing homemade web servers in C because they haven't maintained or upgraded their software in decades.

Sometimes, certainly:) However...

> I don't think they are low power devices. My bet would be they're relatively normal hardware running a light linux. It takes quite a bit of power to route gigabit ethernet or ac wifi.

It doesn't take much compute to handle high-end eth/wifi if you offload it to hardware, and even doing it on-CPU (which I don't think is actually common) probably wouldn't impact RAM/storage, so you could still manage with a stronger CPU and comically tiny memory.

link
icedchai 2195 days ago
Rust isn't magic. And you can write CGIs in any language. Shouldn't we also ask why are they using their own web server? or why a company with millions of devices deployed has done little testing?
link
devy 2194 days ago
> Rust isn't magic.

Let's not going to that debate. It's a good start to improve security postures, regardless how you spin it.

But more importantly, my point is why are they doing CGI at all?

link
icedchai 2193 days ago
There is nothing wrong with CGI. It's simply a standard to forward a request from a web server to another application using environment variables and stdio. Generally, you want your router routing, not wasting CPU and memory running admin applications that are used less than once a month.
link
fomine3 2193 days ago
CGI is still great environment for simple webapp on embedded device. Using Rust is normally overkill and increases complexity. Python/PHP should be enough.

BTW quality of embedded webappa is mostly sucks.

link