in reply to Format string vulnerability

This was incorrectly reported at Computerweekly.com as Perl open to format string security hole. Perl as a language isn't to blame. A module written in perl that is used by a third party application is to blame.

Replies are listed 'Best First'.
Re^2: Format string vulnerability
by tirwhan (Abbot) on Dec 01, 2005 at 09:52 UTC

    This is not entirely correct, it's a perl bug that can be exploited if a script uses format strings insecurely (as the webmin module in question does). See demerphq's post on the subject.


    Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian W. Kernighan
[reply]
      dont worry guys php is next ;]
[reply]
Re^2: Format string vulnerability
by Perl Mouse (Chaplain) on Dec 01, 2005 at 11:58 UTC
    I think that putting the blame on webmin, without carefully looking at perl itself is even more damaging to perl that the article in computerweekly. Luckely, perlmonks isn't read by the non-perl-insiders at large, and luckely, p5p was smart enough to do some introspection and not send out a rebuttal.

    The security issues are there in Perl, and they are now being addressed. And while webmin isn't free of blame, the issues in Perl make the difference between a denial of service attack (due to the bug in webmin) and comprimising the machine (due to the combined effects of the flaws in webmin and perl).

    Perl --((8:>*
[reply]

In Section Seekers of Perl Wisdom