[7190] in bugtraq
Re: ePerl: bad handling of ISINDEX queries
daemon@ATHENA.MIT.EDU (Andrew Pimlott)
Wed Jul 8 14:42:27 1998
Date: Wed, 8 Jul 1998 12:27:14 -0400
Reply-To: Andrew Pimlott <pimlott@ABEL.MATH.HARVARD.EDU>
From: Andrew Pimlott <pimlott@ABEL.MATH.HARVARD.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.3.96.980706221840.676A-100000@odin>
On Mon, 6 Jul 1998, Tiago Luz Pinto wrote:
> (ePerl is an embedded Perl Interpreter for HTTP servers)
>
> * Description:
> Incorrect Handling of ISINDEX queries (command line argument)
> when ePerl runs as a nph-cgi/cgi.
I notified the author of a variant of this bug last summer (which he
fixed; see
http://www.engelschall.com/sw/eperl/distrib/eperl-SNAP/ChangeLog). I
honestly wouldn't trust eperl for a minute. These are very simple
mistakes.
> * Cause:
> According with the CGI/1.1 specification, the HTTP
> server executes CGI's passing the ISINDEX field as a command
> line argument. When ePerl runs and gets this argument
> (argc > 1), it fails to set MODE_CGI, then tries to
> open the argument for parsing/executing.
>
> This can lead to arbitrary Perl code being executed on
> the server.
>
> * Example:
> http://foo.com/some/dir/doit.phtml?/home/ftp/incoming/executemycode.phtml
Andrew
"Do they give a Nobel Prize for attempted chemistry?"
- "Sideshow" Bob Terwilliger
