[7201] in bugtraq
Re: ePerl: bad handling of ISINDEX queries
daemon@ATHENA.MIT.EDU (Steve Willer)
Thu Jul 9 16:02:05 1998
Date: Wed, 8 Jul 1998 14:32:58 -0400
Reply-To: Steve Willer <willer@INTERLOG.COM>
From: Steve Willer <willer@INTERLOG.COM>
X-To: Andrew Pimlott <pimlott@ABEL.MATH.HARVARD.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SOL.3.91.980708120652.28230A-100000@abel>
On Wed, 8 Jul 1998, Andrew Pimlott wrote:
> I notified the author of a variant of this bug last summer (which he
> fixed; see
> http://www.engelschall.com/sw/eperl/distrib/eperl-SNAP/ChangeLog). I
> honestly wouldn't trust eperl for a minute. These are very simple
> mistakes.
>
> > This can lead to arbitrary Perl code being executed on
> > the server.
To be honest, although I ended up not using ePerl, I would consider this
mistake fairly understandable. I mean, I can't think of anywhere that
still uses ISINDEX, so it's not that strange for it to fall out of a
developer's mental space.
I do want to make one point about the original bug report: If I read it
correctly, then you will only be able to execute ePerl code, *not* Perl
code. ePerl starts off in "plain text" mode, so anything until the
ePerl-open tag will be output as plain text.
Of course, this does mean that a user would be able to read an arbitrary
file that's accessible to nobody, but it doesn't mean they can execute
whatever they want -- only ePerl pages, which are usually written to be
safe (since they're usually a Web page anyway).
