perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gerald Richter - ECOS <rich...@ecos.de>
Subject AW: Embperl security bug
Date Wed, 08 Jan 2014 14:01:33 GMT
Hi,

 
yes, the Embperl list is the right address for such issues.

 
The problem is, that Embperl has no idea what the webroot is, so it’s not easy to change
the error message the way you suggest.

 
For production sites it is better to use an Apache Error Document and don’t display the
interal error message at all. The Embperl error page is intended for debugging, not for production
use. See http://perl.apache.org/embperl/de/pod/doc/Embperl.-page-13-.htm <http://perl.apache.org/embperl/de/pod/doc/Embperl.-page-13-.htm>
how to setup an Apache ErrorDocument.

 
I hope this helps

 
Regards

 
Gerald

 
 
Von: Wire Ghoul [mailto:wireghoul@gmail.com] 
Gesendet: Dienstag, 7. Januar 2014 01:06
An: embperl@perl.apache.org
Betreff: Embperl security bug

 
Hello there,

I hope this is the right address for reporting this. I already reported it to debian, but
it does not appear to have made it upstream to their perl maintainers list so I thought I
would try a direct approach.

The embperl package reveals the full path of the webroot when displaying a 404 message. The
offending code appears to exist at: 
Embperl-2.4.0/epmain.c:137:        case rcNotFound:                msg
="[%d]ERR:  %d: %s Not found '%s', searched: %s" ; break ;

Although there may be other instances as well. The full details can be found through the original
Debian bug report:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731996 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731996>


Cheers,
Eldar "Wireghoul" Marcussen


Mime
View raw message