>
> The original question, though, was whether embperl is
> *inherently* less secure
> than some other strategies.
As far as I see there is no specific security problem with Embperl. Embperl
itself does not write any file (when not running offline), so it can't be
abused to places files on your server. The only file Embperl writes, is the
logfile and I can't see how anybody should place content in it, that should
be useable by a cracker. The main problem is, if anybody has already write
access to your server then he can place a file that is executed by Embperl
and this file can do anything that the user the httpd runs as can do. That's
true for CGI Scripts, Apache::Registry scripts, Mason, ASP, whatever
scripting you use. The other possibility for an attacker would be to place
an .htaccess file somewhere and thereby altering your configuration in an
unwanted way.
Gerald
Important Note: Embperl before versions 1.2b10 has an security whole, when
running as CGI, so anybody using Embperl in CGI mode, should upgrade to
1.2b10!!
---------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internet - Infodatenbanken - Apache - Perl - mod_perl - Embperl
E-Mail: [EMAIL PROTECTED] Tel: +49-6133/925151
WWW: http://www.ecos.de Fax: +49-6133/925152
---------------------------------------------------------------
