Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: eperl1.htm

ePerl 2.1.12 Security Issues



Vulnerability

    ePerl

Affected

    Systems with ePerl 2.1.12

Description

    Tiago  Luz  Pinto  found  following.   ePerl  is an embedded Perl.
    There's  a  problem  of  incorrect  Handling  of  ISINDEX  queries
    (command  line  argument)  when  ePerl  runs  as  a   nph-cgi/cgi.
    According with the CGI/1.1 specification, the HTTP server executes
    CGI's passing the ISINDEX field as a command line argument.   When
    ePerl runs  and gets  this argument  (argc >  1), it  fails to set
    MODE_CGI, then tries to  open the argument for  parsing/executing.
    This  way  one  can  evaluate  ePerl pages through different URLs.
    Example:

        http://foo.com/some/dir/doit.phtml?/home/ftp/incoming/executemycode.phtml

Solution

    Users of ePerl 2.2.12 I encourage to upgrade to ePerl 2.2.13.  The
    distribution eperl-2.2.13.tar.gz is available under

        http://www.engelschall.com/sw/eperl/
        ftp://ftp.engelschall.com/sw/eperl/


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH