June 22, 2001

ePerl allows the user to embed Perl code

Author: JT Smith

Help Net Security: "ePerl allows the user to embed perl code (specified inside ePerl delimiters) in HTML.

ePerl has the ability to "safely" include untrusted files using the #sinclude directive. The
untrusted file is not supposed to be able to specify any perl code to run, but this safe
mode can easily be circumvented.

The #sinclude directive operates by replacing the ePerl delimiters on the untrusted file
so that they are ignored during parsing. The problem is that it still follows the
preprocessing directives, so the untrusted file can then include another file while not in
safe mode."


  • Linux
Click Here!