CGI::Application and recent bash security hole

Christian Jaeger chrjae at gmail.com
Thu Sep 25 19:36:54 BST 2014


I think Perl itself isn't vulnerable to the same problem: env
variables aren't automatically evaluated, at least not in general;
but, I actually wonder whether the usual Perl variables like PERL5LIB,
PERL5OPT, LOGDIR, PERL5DB, PERL5SHELL etc. can't be set and misused
through CGI.

Also, anything that involves running a shell (open "...|" or "|...",
system, exec with non-trivial single string arguments that Perl
doesn't know how to handle directly) will probably be exposing the
problem in the used shell (probably bash in sh mode) unless the latter
is patched. I don't immediately see any such calls in
CGI/Application.pm or CGI/Application/Mailform.pm, but don't rely on
that, any number of other modules you're using could be running a
shell. Upgrade bash to solve that part.

Ch.


More information about the london.pm mailing list