Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • There is change in the Apache logging API starting at 2.0.49 which escapes data written to the error logs. See this link on the mod_perl [apache.org] website. So their may be some concern for those running webmin as root. But in my experience, it's always preferable to run daemons as non privileged users whenever possible.
  • After some communcation, the description of the security notice on the Webmin site has been updated, but the incorrect title remains.
    --
    qw(Ian Langworth)
  • More details at the Perl foundation weblog [perlfoundation.org].
  • The title has been fixed, plus there's an announcement [perl.org] on the use Perl; main page.
    --
    qw(Ian Langworth)
  • Let's see. Webmin uses Sys::Syslog, whose syslog function, unlike its C-library cousin, passes its arguments to sprintf, a Perl function that contains an integer overflow bug. sprintf also happily accepts tainted data.

    Yet you claim the fault lies entirely at the side of webmin.

    I disagree. Sure, webmin has a fault, but the results of the fault wouldn't be as damaging as they are now because of the overflow bug in sprintf.