This is not entirely correct, it's a perl bug that can be exploited if a script uses format strings insecurely (as the webmin module in question does). See demerphq's post on the subject.
Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian W. Kernighan
| [reply] |
dont worry guys php is next ;]
| [reply] |
I think that putting the blame on webmin, without carefully looking at perl itself is even more damaging to perl that the article in computerweekly. Luckely, perlmonks isn't read by the non-perl-insiders at large, and luckely, p5p was smart enough to do some introspection and not send out a rebuttal.
The security issues are there in Perl, and they are now being addressed. And while webmin isn't free of blame, the issues in Perl make the difference between a denial of service attack (due to the bug in webmin) and comprimising the machine (due to the combined effects of the flaws in webmin and perl).
| [reply] |