Date: Mon, 6 Jul 1998 22:39:24 -0300
From: Tiago Luz Pinto <tiago@EPS.UFSC.BR>
Subject: ePerl: bad handling of ISINDEX queries

    (ePerl is an embedded Perl Interpreter for HTTP servers)

* Description:
    Incorrect Handling of ISINDEX queries (command line argument)
when ePerl runs as a nph-cgi/cgi.

* Cause:
    According with the CGI/1.1 specification, the HTTP
server executes CGI's passing the ISINDEX field as a command
line argument. When ePerl runs and gets this argument
(argc > 1), it fails to set MODE_CGI, then tries to
open the argument for parsing/executing.

    This can lead to arbitrary Perl code being executed on
the server.

* Example:
http://foo.com/some/dir/doit.phtml?/home/ftp/incoming/executemycode.phtml


+----------------------------------------------------------------------+
|  Tiago Luz Pinto                                 tiago@eps.ufsc.br   |
|                                                                      |
|  Network Administrator  -      Department of Production Engineering  |
|  Federal University of Santa Catarina -                      Brazil  |
+----------------------------------------------------------------------+


-----

Date: Wed, 8 Jul 1998 12:27:14 -0400
From: Andrew Pimlott <pimlott@ABEL.MATH.HARVARD.EDU>
Subject: Re: ePerl: bad handling of ISINDEX queries
 
On Mon, 6 Jul 1998, Tiago Luz Pinto wrote:
 
>     (ePerl is an embedded Perl Interpreter for HTTP servers)
>
> * Description:
>     Incorrect Handling of ISINDEX queries (command line argument)
> when ePerl runs as a nph-cgi/cgi.
 
I notified the author of a variant of this bug last summer (which he
fixed; see
http://www.engelschall.com/sw/eperl/distrib/eperl-SNAP/ChangeLog).  I
honestly wouldn't trust eperl for a minute.  These are very simple
mistakes.
 
> * Cause:
>     According with the CGI/1.1 specification, the HTTP
> server executes CGI's passing the ISINDEX field as a command
> line argument. When ePerl runs and gets this argument
> (argc > 1), it fails to set MODE_CGI, then tries to
> open the argument for parsing/executing.
>
>     This can lead to arbitrary Perl code being executed on
> the server.
>
> * Example:
> http://foo.com/some/dir/doit.phtml?/home/ftp/incoming/executemycode.phtml
 
Andrew
 
"Do they give a Nobel Prize for attempted chemistry?"
- "Sideshow" Bob Terwilliger