> The original question, though, was whether embperl is *inherently*
> less secure than some other strategies.
Actually, the original question was: "How secure is CGI.pm and EMBPERL?"
> I am no security expert, but some of the exploits that were tried
> (unsuccessfully) by this cracker did in fact rely on whether
> server-side includes and/or embedded Perl were active.
Not quite. Precisely, the exploits relied on bugs in the CGI/mod_perl
scripts to (try to) execute code. If the CGI/mod_perl script is secure,
then SSI, ``, system(), eval(), and all the other ways to execute code
are also secure.
As far as CGI.pm and embperl are concerened, they are widely used
products, and bugs in them would surely have been mentioned by now. If
that's not sufficient for you, feel free to check the modules yourself.
ELB
--
Eric L. Brine | Chicken: The egg's way of making more eggs.
[EMAIL PROTECTED] | Do you always hit the nail on the thumb?
ICQ# 4629314 | An optimist thinks thorn bushes have roses.
