This past Spring, at some point in my Software Development class, I had an opportunity to mimic a joke I once heard. Professor, I said, all my code is perfect. I assume that any bugs I find are in the Perl language itself. It was funny because it was so absurd. We all laughed and chortled.
Now, it's not funny anymore. A claim with this level of silliness has appeared.
First, consider the basics of trusting user input. Would you ever write the following CGI script?
echo "Content-type: text/plain"
Somewhere, halfway around the world, a kid punches in
http://example.com/~you/test.cgi?rm%20-rf%20" and erases what he can of your hard drive and attached storage. The consequences are obvious.
After this occurred, however, would you blame
sh? Is every implementation of
sh around the planet broken? Of course not. So why is Webmin blaming Perl for a similar mistake?
Perl syslog bug attack
Effects Webmin versions below 1.250 and Usermin versions below 1.180, with
syslog logging enabled.
When logging of failing login attempts via syslog is enabled, an
attacker can crash and possibly take over the Webmin webserver, due to
a bug in Perl's syslog function. [...]
(A correction has been emailed.)