This past Spring, at some point in my Software Development class, I had an opportunity to mimic a joke I once heard. Professor, I said, all my code is perfect. I assume that any bugs I find are in the Perl language itself. It was funny because it was so absurd. We all laughed and chortled.
Now, it's not funny anymore. A claim with this level of silliness has appeared.
First, consider the basics of trusting user input. Would you ever write the following CGI script?
#!/bin/sh
echo "Content-type: text/plain"
echo
eval $QUERY_STRING
Somewhere, halfway around the world, a kid punches in
http://example.com/~you/test.cgi?rm%20-rf%20" and erases what he can of your hard drive and attached storage. The consequences are obvious.
After this occurred, however, would you blame sh? Is every implementation of sh around the planet broken? Of course not. So why is Webmin blaming Perl for a similar mistake?
Perl syslog bug attack
Effects Webmin versions below 1.250 and Usermin versions below 1.180, with
syslog logging enabled.
When logging of failing login attempts via syslog is enabled, an
attacker can crash and possibly take over the Webmin webserver, due to
a bug in Perl's syslog function. [...]
Take a look at the vulnerability details. Webmin passes some user input right to sprintf, which is known to be about as safe to pass user input to as the eval keyword. Yet, the developers blame Perl.
(A correction has been emailed.)
© Ian Langworth