ePerl Security Update Available

From: Ralf S. Engelschall (rseat_private)
Date: Fri Jul 10 1998 - 01:49:44 PDT

Next message: Raymond Medeiros: "Re: Forwared to me"

Previous message: _ _: "Remote count.cgi exploit mods"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ePerl Security Update Available
===============================

A security bug report from Tiago Luz Pinto <tiagoat_private> about ePerl
2.2.12 occured on BugTraq at 06-Jul-1998 which showed ePerl was incorrectly
handling ISINDEX queries (passed as command line argument by the webserver)
when ePerl runs as a (NPH-)CGI script for *.phtml pages.

In summary the problem is that under ePerl 2.2.12 a request to

   http://foo/dir/bar.phtml?/absolute/path/to/quux.phtml

(i.e. a request for bar.phtml with a QUERY_STRING containing an absolute path
to quux.phtml - both are ePerl pages) leads not to the evaluation of
bar.phtml. Instead quux.phtml was evaluated because ePerl 2.2.12 incorrectly
determined the source from the command line instead of PATH_TRANSLATED when
QUERY_STRING was present.

This is some sort of a security hole and at least a bug because this way one
can evaluate ePerl pages through different URLs. But the statement ``This can
lead to _arbitrary_ Perl code being executed on the server.'' from the
original security report is not quite correct. Because the quux.phtml is still
treated as a text file which is just bristled with ePerl blocks. And those
files usually exists for the same reason: Evaluation as HTML pages on the web
with embedded Perl code.

Nevertheless its a nasty bug and I've now again (I've still fixed such
QUERY_STRING related bugs in the past) compared the different run-time
environments for ePerl (notice that ePerl is more than just a CGI-program, it
can be used in a lot of modes and so the determination is really _NOT_
trivial; look inside eperl_main.c if you don't doubt me) and rewrote the mode
determination. Now it isn't anymore confused by a command line arguments under
the CGI environment when QUERY_STRING is present.

Users of ePerl 2.2.12 I encourage to upgrade to ePerl 2.2.13.
The distribution eperl-2.2.13.tar.gz is available under

   http://www.engelschall.com/sw/eperl/   and
   ftp://ftp.engelschall.com/sw/eperl/

Thanks for supporting ePerl and the Perl community.

Greetings,
                                       Ralf S. Engelschall
                                       rseat_private
                                       www.engelschall.com

Next message: Raymond Medeiros: "Re: Forwared to me"
Previous message: _ _: "Remote count.cgi exploit mods"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:07 PDT