Bugtraq mailing list archives
Re: ePerl: bad handling of ISINDEX queries
From: tiago () EPS UFSC BR (Tiago Luz Pinto)
Date: Fri, 10 Jul 1998 01:52:52 -0300
On Wed, 8 Jul 1998, Steve Willer wrote:
To be honest, although I ended up not using ePerl, I would consider this mistake fairly understandable. I mean, I can't think of anywhere that still uses ISINDEX, so it's not that strange for it to fall out of a developer's mental space.
I don't agree with you on that. First, ISINDEX is well documented in the CGI specification and ePerl claims that is CGI/1.1 compliant. Second, if you want your software to work (not mentioning being secure), you can't forget things that are written in the specs.
I do want to make one point about the original bug report: If I read it correctly, then you will only be able to execute ePerl code, *not* Perl code. ePerl starts off in "plain text" mode, so anything until the ePerl-open tag will be output as plain text.
You'll be able to execute PERL code, since all that ePerl does is putting a PERL "print" command in front of your HTML code and passing it to the Perl interpreter along with the PERL code embedded in the page. Another thing: this bug was found in the latest (2.2.12) version of ePerl. +----------------------------------------------------------------------+ | Tiago Luz Pinto tiago () eps ufsc br | | | | Network Administrator - Department of Production Engineering | | Federal University of Santa Catarina - Brazil | +----------------------------------------------------------------------+
Current thread:
- Re: ePerl: bad handling of ISINDEX queries Tiago Luz Pinto (Jul 09)