Flutterby™! : Perl Jam

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Perl Jam

2015-01-08 01:22:10.524989+00 by Dan Lyke 0 comments

Whoah: Perl Jam: Exploiting a 20 year old vulnerability.

PDF of the slides, but....

The short version: $cgi->param(...) can return an array. Nothing you didn't know there. Here's the scary bit:

$dbh->quote(...) can take an additional type argument, which will make it skip quoting(!).

This means instant SQL injection vulnerability for code which does $dbh->quote($cgi->param(...)).


Flutterby code has been patched, will push

[ related topics: Politics Perl Open Source Journalism and Media Video Databases hubris ]

comments in ascending chronological order (reverse):