Article 34816 of dec.notes.networking.internet_tools: Title: Security of CGI interpreters (latro) I havn't dug through this guy's claims, but figured I'd post this here to open up some discussion... http://www.perl.com/perl/news/latro-announce.html Urgent Security Announcement How'd you like to let anyone anywhere run any program they feel like on your system, even sending you new ones of their own devising? Sound frightening? Well, that's what's going on out there. Despite months of lobbying corporations, individuals, and the net at large about the perl.exe?FMH.pl problem, it continues to get worse. In the spirit of the Satan network checker, here's something that will find out whether you have the problem. It's called latro, a program anyone can use to run any program they feel like on any system so unfortunate as to have ignored those warnings. If I hadn't written it, someone else would have. You may argue that I've just given a lockpicking kit to the unwashed masses. Perhaps this is so, but far better that everyone should have the same resources at their disposal than that merely the thieves should have them. This way at least the locks might get fixed. Already several people have posted to USENET about how one can use Alta Vista to find these sites. It's only a matter of time before these sites get, um, visited. Hopefully someone will construct a list of these and notify them. This is, of course, just a fraction of the vulnerable sites. Let's clean it up out there, guys. Nefarious users could even ship over their own PC binaries and run them on your system, which means that if you aren't careful, they might do something useful like forcibly upgrade you to Linux. Of course, then the perl.exe?FMH.pl travesty magically goes away, along with a whole lot of other problems. :-) Note This problem probably affects only amateur and/or commercial machines running those cursèd spawn of CP/M that Microsoft (and no one else) calls operating systems. Professional software development systems like Unix and Plan9 should be largely unaffected. Paradoxically enough, Apple systems running their native systems should also be ok because the setup is so different. But please never underestimate the power of human stupidity when it comes to using technology they don't understand. There are also loads of sites out there with other interpreters than Perl in their cgi-bins, including shells, tcl, python, etc. This has got to stop. CERT has been notified of the issue, and has released a report about the problem. Resources Documentation on latro. Source code for latro. Source code for the LWP library used by latro. Background info on the problem, plus solutions.