Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Blatant security problem in certain CPAN module installs

by perrin (Chancellor)
on May 03, 2004 at 04:44 UTC ( #349916=note: print w/ replies, xml ) Need Help??


in reply to Blatant security problem in certain CPAN module installs

Have you contacted the author and asked him to change this practice? He might be perfectly willing to do so if you point out the problem and ask him to fix it.


Comment on Re: Blatant security problem in certain CPAN module installs
Re: Re: Blatant security problem in certain CPAN module installs
by tantarbobus (Hermit) on May 03, 2004 at 06:19 UTC

    I did. Or at least I tried. His webform was throwing errors, so I ended up sending it to the email address given with the error message.

    Here is the text of the message that I sent to him:

    Hello,

    Earlier today I noticed that you have code in your Makefile.PLs that inclues and evals code served up from perl.4pro.com. While I am sure that you don't mean any harm in doing this, it nonetheless opens up several security holes.

    For example, if your site were to be cracked, the intruder could insert code that would be run by any person installing your module. and many people install perl modules as root.

    And then there is the issue of trust. How do I know that you are not changing the output of the file based on domain name of the person requesting the file? As a proof of concept, I wrote up a little script which illustrates my point:

    http://www.remotelinux.com/rlippan/irony.cgi
    And to see it in action: http://www.remotelinux.com/rlippan/irony

    If you are not comming from 4pro.net, You can add domains to the list of evil_domains by passing in ?evil_domain=domain.dom

    Thank you for your time,

    Rudolf Lippan.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://349916]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (8)
As of 2014-08-28 03:54 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (255 votes), past polls