eperl: rotected files can be read by unauthorised users
eperl can be used to read files that the web server access control rules
deny access to. The problem is that a symlink to eperl is installed in
/usr/lib/cgi-bin, so any protected file ending in an extension which eperl
decides to handle (including .html), can read. E.g. if Apache's DocumentRoot
is set to /var/www, and /var/www/protected is restricted to access by certain
hosts, it is possible to read /var/www/protected/index.html by requesting
eperl, and other interpreters / server-side languages should probably not
be installed in /usr/lib/cgi-bin; perhaps debian-policy should mention this
in the section on web servers and cgi-bin (at the moment it says that all
CGI scripts should be there).
Unfortunately moving interpreters from /usr/lib/cgi-bin will prevent their use
as a server-side language in Apache using the AddType and Action directives,
so it's back to shebang lines, I guess.
-- System Information
Debian Release: 2.2
Kernel Version: Linux lamia 2.2.14 #1 Tue Feb 1 20:45:54 GMT 2000 i686 unknown
Versions of the packages eperl depends on:
hi libc6 2.1.2-13 GNU C Library: Shared libraries and Timezone
ii libgdbmg1 1.7.3-26.2 GNU dbm database routines (runtime version).
ii perl-5.005 5.005.03-5.3 Larry Wall's Practical Extracting and Report
"Damaged people are dangerous, they know they can survive"