I do host sites which use my perl scripts, yes, but I don't put the value of arguments into system calls or into file open without filtering the incoming characters. Yeah, that would be asking for trouble. I try to stay informed about threats and vulnerabilities that programmers may unintentionally insert into their code. I try to do my part and not write garbage. Lol | [reply] |
I do host sites which use my perl scripts, yes
If you are using a perl earlier than 5.18, it is highly likely that your CGI scripts are vulnerable to algorithmic complexity attacks via hash keys, first addressed in the hash overhaul in 5.18.
(I was then, and am still now, a member of the Perl security team. At the time I was working for a company with responsibility for the safekeeping of 100s of millions of credit card numbers and associated personal data, and the main bug report leading to that hash overhaul was the single scariest issue I dealt with in my career.)
| [reply] |
| [reply] |
Correction: I do not host my website on my computer. That was a misunderstanding. I thought you asked if I store html and perl files on my computer. I do, but I don't host them as a webhost. My computer is connected to the internet only while I am sitting at my desk. When I am not there, I turn it off. And it has Windows XP on it. I don't think it could be turned into a hosting machine. All my sites are hosted at 100webspace.com where it looks like they use perl 5.016003.
http://www.wzsn.net/list.pl
| [reply] |