On Wed, 8 Jul 1998, Andrew Pimlott wrote:
> I notified the author of a variant of this bug last summer (which he
> fixed; see
> http://www.engelschall.com/sw/eperl/distrib/eperl-SNAP/ChangeLog). I
> honestly wouldn't trust eperl for a minute. These are very simple
> mistakes.
>
> > This can lead to arbitrary Perl code being executed on
> > the server.
To be honest, although I ended up not using ePerl, I would consider this
mistake fairly understandable. I mean, I can't think of anywhere that
still uses ISINDEX, so it's not that strange for it to fall out of a
developer's mental space.
I do want to make one point about the original bug report: If I read it
correctly, then you will only be able to execute ePerl code, *not* Perl
code. ePerl starts off in "plain text" mode, so anything until the
ePerl-open tag will be output as plain text.
Of course, this does mean that a user would be able to read an arbitrary
file that's accessible to nobody, but it doesn't mean they can execute
whatever they want -- only ePerl pages, which are usually written to be
safe (since they're usually a Web page anyway).
Received on Jul 09 1998
Intro
