Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Re: Blatant security problem in certain CPAN module installs

by tantarbobus (Hermit)
on May 03, 2004 at 06:19 UTC ( #349933=note: print w/replies, xml ) Need Help??


in reply to Re: Blatant security problem in certain CPAN module installs
in thread Blatant security problem in certain CPAN module installs

I did. Or at least I tried. His webform was throwing errors, so I ended up sending it to the email address given with the error message.

Here is the text of the message that I sent to him:

Hello,

Earlier today I noticed that you have code in your Makefile.PLs that inclues and evals code served up from perl.4pro.com. While I am sure that you don't mean any harm in doing this, it nonetheless opens up several security holes.

For example, if your site were to be cracked, the intruder could insert code that would be run by any person installing your module. and many people install perl modules as root.

And then there is the issue of trust. How do I know that you are not changing the output of the file based on domain name of the person requesting the file? As a proof of concept, I wrote up a little script which illustrates my point:

http://www.remotelinux.com/rlippan/irony.cgi
And to see it in action: http://www.remotelinux.com/rlippan/irony

If you are not comming from 4pro.net, You can add domains to the list of evil_domains by passing in ?evil_domain=domain.dom

Thank you for your time,

Rudolf Lippan.
  • Comment on Re: Re: Blatant security problem in certain CPAN module installs

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://349933]
help
Chatterbox?
[LanX]: Corion: come on, people are people! ;)
[Corion]: Naah, I think it's still an OK show so far. Their new songs aren't exactly great, but I'm not going there for new material anyway ;)
[marto]: I got the feeling from the last show that for big sections of it, they were not really into what they were doing
[Corion]: LanX: Sure, they can bask in my Halo
[marto]: more so than the previous show I saw
[Corion]: marto: Well, I think they go a tour every two years and I think it's hard to even get a connection with the crowd at a 20k people concert... But maybe after this time I'll stop too ;)
[Corion]: I still have to see the Pet Shop Boys live before they stop touring at all
[marto]: yeah, I think that as a group creatively they're done. I can understand how it'd be hard to stop the process, album/tour, album/tour, if that's pretty much all you've ever done :)
[marto]: Corion yes I saw them Pandemonium_Tour
[Corion]: marto: Yeah, and I doubt that they'll ever get back to something like Violator/Songs of Faith and Devotion - it would either alienate their "regular" crowd, or be "too much Violator" ;)

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (13)
As of 2017-03-24 11:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Should Pluto Get Its Planethood Back?



    Results (301 votes). Check out past polls.