|Perl: the Markov chain saw|
Blatant security problem in certain CPAN module installsby toma (Vicar)
|on May 03, 2004 at 03:53 UTC||Need Help??|
I always figured that if there were a blatant security violation by a CPAN author, that I would be safe because someone would notice the problem before I got burned by it. That has indeed happened, and now you are being notified, also.
The nature of this security violation is that the module author executes arbitrary code on your computer. Anyone who can spoof the module owner's web server can also execute arbitrary code during the module installation.
The problem is in the Makefile.PL, which gets arbitrary code from the web server at perl.4pro.net and executes the code.
My strategy for installing perl modules is to never do so as root, and to never modify /usr/bin/perl. I think that this strategy has now been vindicated!
Here are modules with the problem:
To check if you have any of these modules, you can search your perl tree for the author name 'Domizio Demichelis'. Here is the current list on CPAN:
It should work perfectly the first time! - toma