Mailing List Archive

AW: Embperl security bug
Hi,

 
yes, the Embperl list is the right address for such issues.

 
The problem is, that Embperl has no idea what the webroot is, so it’s not easy to change the error message the way you suggest.

 
For production sites it is better to use an Apache Error Document and don’t display the interal error message at all. The Embperl error page is intended for debugging, not for production use. See http://perl.apache.org/embperl/de/pod/doc/Embperl.-page-13-.htm <http://perl.apache.org/embperl/de/pod/doc/Embperl.-page-13-.htm> how to setup an Apache ErrorDocument.

 
I hope this helps

 
Regards

 
Gerald

 
 
Von: Wire Ghoul [mailto:wireghoul@gmail.com]
Gesendet: Dienstag, 7. Januar 2014 01:06
An: embperl@perl.apache.org
Betreff: Embperl security bug

 
Hello there,

I hope this is the right address for reporting this. I already reported it to debian, but it does not appear to have made it upstream to their perl maintainers list so I thought I would try a direct approach.

The embperl package reveals the full path of the webroot when displaying a 404 message. The offending code appears to exist at:
Embperl-2.4.0/epmain.c:137:        case rcNotFound:                msg ="[%d]ERR:  %d: %s Not found '%s', searched: %s" ; break ;

Although there may be other instances as well. The full details can be found through the original Debian bug report:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731996 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731996>

Cheers,
Eldar "Wireghoul" Marcussen