Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: ModPerl: ModPerl MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols)   Index | Next | Previous | View Flat

merlyn at stonehenge Mar 22, 2007, 8:20 PM Views: 26186 Permalink MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) >>>>> "Alex" == Alex Solovey <a.solovey[at]gmail.com> writes: Alex> The problem is due to unescaped variable interpolation in regular Alex> expression $uri =~ /$path_info$/ in sub namespace_from: I don't want to raise too many alarms, but this means that every MP1 server has a denial-of-service attack against it now. Consider a regex that takes 10,000 years to figure out it doesn't match. Those can be written in under 50 characters. I'm sure the golfers can get it down to 10. And path_info is an arbitrary string, aided by having %-escaping before it gets this far, I presume. Ick. "Hello, CERT?" -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn[at]stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Subject User Time MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) merlyn at stonehenge Mar 22, 2007, 8:20 PM     Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) merlyn at stonehenge Mar 22, 2007, 8:25 PM         Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) fred at redhotpenguin Mar 22, 2007, 8:49 PM             Re: MP1 Security issue merlyn at stonehenge Mar 22, 2007, 8:50 PM                 Re: MP1 Security issue jvanasco at 2xlp Mar 26, 2007, 11:16 AM                     Re: MP1 Security issue merlyn at stonehenge Mar 26, 2007, 6:05 PM                         Re: MP1 Security issue geoff at modperlcookbook Mar 26, 2007, 6:45 PM             Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) andy at hexten Mar 22, 2007, 8:51 PM                 Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) pharkins at gmail Mar 22, 2007, 8:55 PM         Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) geoff at modperlcookbook Mar 23, 2007, 5:04 AM             Re: MP1 Security issue merlyn at stonehenge Mar 23, 2007, 7:57 AM                 Re: MP1 Security issue shiflett at php Mar 25, 2007, 8:39 AM                     Re: MP1 Security issue gerard at clerkin Mar 25, 2007, 4:19 PM                     Re: MP1 Security issue rlandrum at aol Mar 26, 2007, 8:52 AM                         Re: MP1 Security issue pharkins at gmail Mar 26, 2007, 9:25 AM     Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) pgollucci at p6m7g8 Mar 22, 2007, 8:59 PM         Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) fred at redhotpenguin Mar 22, 2007, 9:22 PM             Re: MP1 Security issue merlyn at stonehenge Mar 22, 2007, 9:23 PM     Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) mpeters at plusthree Mar 23, 2007, 6:06 AM         Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) geoff at modperlcookbook Mar 23, 2007, 6:57 AM             Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) kjetilk at opera Mar 23, 2007, 7:30 AM                 Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) geoff at modperlcookbook Mar 23, 2007, 7:54 AM                     Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) geoff at modperlcookbook Mar 23, 2007, 8:01 AM                         Re: MP1 Security issue (was Re: [mp1] PerlRun fails if path_info contains special symbols) a.solovey at gmail Mar 23, 2007, 8:09 AM         Re: MP1 Security issue merlyn at stonehenge Mar 23, 2007, 8:00 AM             Re: MP1 Security issue geoff at modperlcookbook Mar 23, 2007, 8:02 AM                 Re: MP1 Security issue merlyn at stonehenge Mar 23, 2007, 8:09 AM                     Re: MP1 Security issue a.solovey at gmail Mar 23, 2007, 8:16 AM                     Re: MP1 Security issue merlyn at stonehenge Mar 23, 2007, 8:18 AM

Index | Next | Previous | View Flat   ModPerl     Announce     ModPerl     Dev     Docs-dev     Embperl     ASP     Advocacy     Docs-cvs     Embperl-cvs     ModPerl-cvs

Interested in having your list archived? Contact lists@gossamer-threads.com
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.