[7222] in bugtraq
ePerl Security Update Available
daemon@ATHENA.MIT.EDU (Ralf S. Engelschall)
Fri Jul 10 15:06:25 1998
Date: Fri, 10 Jul 1998 10:49:44 +0200
Reply-To: rse@engelschall.com
From: "Ralf S. Engelschall" <rse@ENGELSCHALL.COM>
To: BUGTRAQ@NETSPACE.ORG
ePerl Security Update Available
===============================
A security bug report from Tiago Luz Pinto <tiago@EPS.UFSC.BR> about ePerl
2.2.12 occured on BugTraq at 06-Jul-1998 which showed ePerl was incorrectly
handling ISINDEX queries (passed as command line argument by the webserver)
when ePerl runs as a (NPH-)CGI script for *.phtml pages.
In summary the problem is that under ePerl 2.2.12 a request to
http://foo/dir/bar.phtml?/absolute/path/to/quux.phtml
(i.e. a request for bar.phtml with a QUERY_STRING containing an absolute path
to quux.phtml - both are ePerl pages) leads not to the evaluation of
bar.phtml. Instead quux.phtml was evaluated because ePerl 2.2.12 incorrectly
determined the source from the command line instead of PATH_TRANSLATED when
QUERY_STRING was present.
This is some sort of a security hole and at least a bug because this way one
can evaluate ePerl pages through different URLs. But the statement ``This can
lead to _arbitrary_ Perl code being executed on the server.'' from the
original security report is not quite correct. Because the quux.phtml is still
treated as a text file which is just bristled with ePerl blocks. And those
files usually exists for the same reason: Evaluation as HTML pages on the web
with embedded Perl code.
Nevertheless its a nasty bug and I've now again (I've still fixed such
QUERY_STRING related bugs in the past) compared the different run-time
environments for ePerl (notice that ePerl is more than just a CGI-program, it
can be used in a lot of modes and so the determination is really _NOT_
trivial; look inside eperl_main.c if you don't doubt me) and rewrote the mode
determination. Now it isn't anymore confused by a command line arguments under
the CGI environment when QUERY_STRING is present.
Users of ePerl 2.2.12 I encourage to upgrade to ePerl 2.2.13.
The distribution eperl-2.2.13.tar.gz is available under
http://www.engelschall.com/sw/eperl/ and
ftp://ftp.engelschall.com/sw/eperl/
Thanks for supporting ePerl and the Perl community.
Greetings,
Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com
