Most Internet Web servers may be vulnerable to a pair of newly discovered security attacks.
The Poison Null and Upload Bombing attacks are said to exploit vulnerabilities in Perl CGI programs, used to build up to 90 percent of all interactive Web sites.
The Poison Null attack was discovered by the hacker known as “rfp”, who tested several commonly used CGI scripts for the vulnerability. The attack could allow the contents of directories to be viewed, and in some cases, Web server files could be read and modified.
The fault lies not with Perl itself, but with developers who do not appreciate the complex way in which Perl scripts interact with the other programming languages used in Web servers, rfp said.
The full story is located at www.techweb.com.