You are viewing a plain text version of this content. The canonical link for it is here.

Posted to embperl@perl.apache.org by Hunter Thomas <ar...@sasquatch.com> on 2002/07/08 05:11:49 UTC

Security issue

[7422]Reading
/usr/local/public/virtualdomains/archangl/archangelqnet/cgi-bin/embperl/embpcgi.pl as input using PerlIO (909 Bytes)...

Ok, now, it was my impression that it would only read documents within
the DOCUMENT_ROOT, and considering that the document root for this dom
is 
/usr/local/public/virtualdomains/archangl/archangelqnet/www/
it's obviously violated that rule. My question is, why, and how can I
track it down? I don't have access to the installed source on this
server, so, not much I can do about it. Btw, the url that was used to
call this is
http://www.archangelq.net/cgi-bin/embperl/embpcgi.pl/cgi-bin/embperl/embpcgi.pl
in case anyone wants to verify this. In my mind, this is quite the
security problem. Then again, it may just be how I've got this
installed, but if so, I don't see how I installed and configured this
other than the docs have said.

Re: Security issue

Posted by Gerald Richter <ri...@ecos.de>.

>[7422]Reading
>/usr/local/public/virtualdomains/archangl/archangelqnet/cgi-bin/embperl/emb
pcgi.pl as input using PerlIO (909 >Bytes)...
>
>Ok, now, it was my impression that it would only read documents within
>the DOCUMENT_ROOT, and considering that the document root for this dom

No, it does the same transformation from the URL to the file as for every
other request. So when you have an Alias in your httpd.conf it will follow
it, as for a normal request.

This problem have come up some years ago and to avoid these security
problems we have add the EMBPERL_ALLOW directive. You say for example

Embperl_Allow "\.epl$"

and Embperl will only serve documents which has the extention .epl

Gerald

P.S. In 1.3.4 you need the SetEnv before the EMBPERL_ALLOW

-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925131
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------






---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org