Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Sun, 12 May 2013 21:38:58 -0500
From: John Lightsey <john@...nuts.net>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Storable::thaw called on cookie data in multiple CPAN
 modules

Hi everyone,

Several CPAN modules follow the same pattern of calling Storable::thaw()
on session data stored client side with no signature verification
mechanisms in place to prevent tampering. Perl's Storable module was
recently documented as being unsafe for use with untrusted inputs:

http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e


The vulnerable modules are:

Both App::Session::Cookie and App::Session::HTMLHidden in the
App::Context bundle.
https://rt.cpan.org/Ticket/Display.html?id=85215


HTML::EP::Session::Cookie in the HTML::EP bundle.
https://rt.cpan.org/Ticket/Display.html?id=85216


Spoon::Cookie in the Spoon bundle.
https://rt.cpan.org/Ticket/Display.html?id=85217



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ