The commonly used databasemodule dbi from Perl to leave room for sql-injection, due to the unpredictable way in which Perl with lists deals. That resulted, among other things, that the cms Movable Type vulnerable to sql-injections.
If a user manually enters multiple parameters enter makes Perl a list of. When the input of the user is processed in a list, the additional parameters are added to the list, leading to unexpected situations, and even security vulnerabilities may pose.
In the case of the commonly used database module dbi from Perl, this means a quote, a function that can be invoked for sql-injections to prevent user input to strip quotation marks, not work properly if a user has multiple parameters added to a request. Quotation marks are sometimes no longer stripped, allowing a user’s own code in sql commands, you can hide.
Among the commonly-used cms to Movable Type, which by many major web sites is used, was therefore vulnerable for sql-injections. These days is that specific security problem, but many sites with Perl are vulnerable. “Look on the Github to Perl scripts with ‘quote’,” says Rubin. Sites on Perl and dbi lean can better the prepare function to use sql injection to occur.
Previously, we showed that the tegenintuïtieve way Perl with lists deal ensured that users themselves access could provide to Bugzilla, the bug tracker tool, which, inter alia, by the Linux-kernelproject and Mozilla itself is used. That vulnerability has since been resolved. In the open-source wiki software Twiki could attackers by the same problem as its own code injection.
The operation of the lists feature is indeed documented in the documentation, but is not intuitive, says Rubin. “It is the fault of the programmer,” acknowledges Rubin. ‘Everyone’ is doing it wrong, however, he draws. Rubin called for existing programmers on the hackersconferentie, who until Tuesday takes, to stop the use of Perl. According to the beveiligingsonderzoeker is Perl unsafe and outdated.
Update, 11:36: According to Perl developer Juerd Waalboer the problem is not Perl or dbi, but the cgi module of Perl, a way to get Perl on a web server nodes. “The problem is that the CGI module has a interface which, in an especially clumsy way to make use of that fundamental feature in Perl,” says Waalboer. In practice a large number of vulnerabilities, including in dbi.