PDA

View Full Version : Perl CGI.pm module security issue



Holland
10-15-2003, 07:58 AM
Versions of CGI.pm prior to 2.94 need to be upgraded to fix a cross site security issue.

http://eyeonsecurity.org/advisories/CGI.pm/adv.html

wildjokerdesign
10-15-2003, 08:11 AM
In the report it states that the vunrability lies in using start_form() in your scripts. As far as I am aware of it none of the WestHost provided scripts us this but I may wrong. I would suggest that untill we know if WestHost had updated CGI.pm or that we hear from them on this that if you are using this in your scripts that you change or disable it if you are worried about it.

Shawn

WestHost - MStevenson
10-15-2003, 09:15 AM
I am asking a higher level tech about this right now, I will let you know what I find out.

wildjokerdesign
10-15-2003, 09:16 AM
Thanks Mark. By the way how is the best way to report a "bug". I think I found one in guestbook install. Don't know if the forum or a support ticket is the best way to go.

Holland
10-15-2003, 10:18 AM
You can test the version of CGI.pm from the shell with
perl -MCGI -e 'print $CGI::VERSION'

WestHost - MStevenson
10-15-2003, 10:39 AM
I just heard back from the higher level techs that they are working on this and were apparently aware of this before I had told them. I will let you know when I know anything more.

WestHost - MStevenson
10-15-2003, 10:40 AM
Wildjoker,

You can either submit a ticket or post it here and we will look at it.

wildjokerdesign
10-15-2003, 10:50 AM
Mark here is a link to the topic about the guestbook bug if it would help to direct tech to it. http://forums.westhost.com/phpBB2/viewtopic.php?p=6874&highlight=#6874