[CCed to activestate in case they were unaware of the discussion on
bugtraq - activestate people, see the archives]
On Tue, May 18, 2004 at 03:23:16PM -0700, Drew Copley wrote:
> The beauty of holes in perl itself is the possibility that
> it could affect a widerange of perl scripts out there sleeping on
> people's webservers, though.
This isn't really a hole in perl itself, but in the particular build of
perl compiled and shipped by one particular vendor. I can not replicate
this on OpenBSD, Debian Linux, or Solaris. Nor can I replicate it using
the version of perl supplied with Cygwin.
I'd be interested to hear if a similar bug exists in Activestate's build
of perl for Linux and Solaris, which I didn't try.
In any case, if an attacker can inject his choice of data into a
system() function, then all bets are off so this is not something that
the users should worry too much about.
--
David Cantrell | Benevolent Dictator | http://www.cantrell.org.uk/david
<davorg> clowns are scary
<gbjk> I concur. It's their motivation that worries me.
-- in #london.pm
bugtraq - activestate people, see the archives]
On Tue, May 18, 2004 at 03:23:16PM -0700, Drew Copley wrote:
> The beauty of holes in perl itself is the possibility that
> it could affect a widerange of perl scripts out there sleeping on
> people's webservers, though.
This isn't really a hole in perl itself, but in the particular build of
perl compiled and shipped by one particular vendor. I can not replicate
this on OpenBSD, Debian Linux, or Solaris. Nor can I replicate it using
the version of perl supplied with Cygwin.
I'd be interested to hear if a similar bug exists in Activestate's build
of perl for Linux and Solaris, which I didn't try.
In any case, if an attacker can inject his choice of data into a
system() function, then all bets are off so this is not something that
the users should worry too much about.
--
David Cantrell | Benevolent Dictator | http://www.cantrell.org.uk/david
<davorg> clowns are scary
<gbjk> I concur. It's their motivation that worries me.
-- in #london.pm
[ reply ]