ePerl Security Update Available =============================== A security bug report from Tiago Luz Pinto <tiagoat_private> about ePerl 2.2.12 occured on BugTraq at 06-Jul-1998 which showed ePerl was incorrectly handling ISINDEX queries (passed as command line argument by the webserver) when ePerl runs as a (NPH-)CGI script for *.phtml pages. In summary the problem is that under ePerl 2.2.12 a request to http://foo/dir/bar.phtml?/absolute/path/to/quux.phtml (i.e. a request for bar.phtml with a QUERY_STRING containing an absolute path to quux.phtml - both are ePerl pages) leads not to the evaluation of bar.phtml. Instead quux.phtml was evaluated because ePerl 2.2.12 incorrectly determined the source from the command line instead of PATH_TRANSLATED when QUERY_STRING was present. This is some sort of a security hole and at least a bug because this way one can evaluate ePerl pages through different URLs. But the statement ``This can lead to _arbitrary_ Perl code being executed on the server.'' from the original security report is not quite correct. Because the quux.phtml is still treated as a text file which is just bristled with ePerl blocks. And those files usually exists for the same reason: Evaluation as HTML pages on the web with embedded Perl code. Nevertheless its a nasty bug and I've now again (I've still fixed such QUERY_STRING related bugs in the past) compared the different run-time environments for ePerl (notice that ePerl is more than just a CGI-program, it can be used in a lot of modes and so the determination is really _NOT_ trivial; look inside eperl_main.c if you don't doubt me) and rewrote the mode determination. Now it isn't anymore confused by a command line arguments under the CGI environment when QUERY_STRING is present. Users of ePerl 2.2.12 I encourage to upgrade to ePerl 2.2.13. The distribution eperl-2.2.13.tar.gz is available under http://www.engelschall.com/sw/eperl/ and ftp://ftp.engelschall.com/sw/eperl/ Thanks for supporting ePerl and the Perl community. Greetings, Ralf S. Engelschall rseat_private www.engelschall.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:07 PDT