[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

eperl: rotected files can be read by unauthorised users

eperl can be used to read files that the web server access control rules
deny access to. The problem is that a symlink to eperl is installed in
/usr/lib/cgi-bin, so any protected file ending in an extension which eperl
decides to handle (including .html), can read. E.g. if Apache's DocumentRoot
is set to /var/www, and /var/www/protected is restricted to access by certain
hosts, it is possible to read /var/www/protected/index.html by requesting

eperl, and other interpreters / server-side languages should probably not
be installed in /usr/lib/cgi-bin; perhaps debian-policy should mention this
in the section on web servers and cgi-bin (at the moment it says that all
CGI scripts should be there).

Unfortunately moving interpreters from /usr/lib/cgi-bin will prevent their use
as a server-side language in Apache using the AddType and Action directives,
so it's back to shebang lines, I guess.

-- System Information
Debian Release: 2.2
Kernel Version: Linux lamia 2.2.14 #1 Tue Feb 1 20:45:54 GMT 2000 i686 unknown

Versions of the packages eperl depends on:
hi  libc6          2.1.2-13       GNU C Library: Shared libraries and Timezone
ii  libgdbmg1      1.7.3-26.2     GNU dbm database routines (runtime version).
ii  perl-5.005     5.005.03-5.3   Larry Wall's Practical Extracting and Report

"Damaged people are dangerous, they know they can survive"

Reply to: