On Wed, 8 Jul 1998, Andrew Pimlott wrote: > I notified the author of a variant of this bug last summer (which he > fixed; see > http://www.engelschall.com/sw/eperl/distrib/eperl-SNAP/ChangeLog). I > honestly wouldn't trust eperl for a minute. These are very simple > mistakes. > > > This can lead to arbitrary Perl code being executed on > > the server. To be honest, although I ended up not using ePerl, I would consider this mistake fairly understandable. I mean, I can't think of anywhere that still uses ISINDEX, so it's not that strange for it to fall out of a developer's mental space. I do want to make one point about the original bug report: If I read it correctly, then you will only be able to execute ePerl code, *not* Perl code. ePerl starts off in "plain text" mode, so anything until the ePerl-open tag will be output as plain text. Of course, this does mean that a user would be able to read an arbitrary file that's accessible to nobody, but it doesn't mean they can execute whatever they want -- only ePerl pages, which are usually written to be safe (since they're usually a Web page anyway).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:29 PDT