Recent versions of Perl (v5.24.1+) removed '.' from @INC, so this is probably right on the mark. If the OP is using a recent enough Perl version it will not look in the dot path unless something like this happens:
At the start of your first-linked P5P thread, haukex:
Which means simply saying "welp, . isn't in @INC anymore" is going to leave
a vast number of broken scripts, most of them likely the ones whose users
are least knowledgable about perl (do 'config.pl' is very common baby perl,
I'm likely to solve it by automating a massive search-and-replace, inserting a './' before all filenames. (Might just back up first!). I think I know enough to know that the removal of '.' from @INC is best not over-ridden!
Many thanks to everyone who contributed to this. You are a wise and, yes, very attractive bunch of people!
Because something as seemingly safe as use strict can load strict.pm from the current working directory, which might be somewhere globally writable like "/tmp/".
There was apparently a real-world way of exploiting this to do nasty stuff, but the Perl development team haven't yet publicly disclosed what it is. I imagine it's an exploit in some commonly used Perl web app like cPanel or Webmin. They do plan on releasing the info eventually, once they've decided people have had enough time to move to newer Perl versions which don't have "." in @INC by default.