×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

49 comments

Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11609220)

Perl forum still up and running. Conclusion? Obvious.

Re:Meanwhile (5, Informative)

isn't my name (514234) | more than 9 years ago | (#11609355)

Perl forum still up and running. Conclusion? Obvious.

It says they write more careful--or less widespread--perl.

The awstats exploit that was used here makes use of poorly written perl that failed to validate user input. Of course, had you read the article, you would know that.

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11609430)

The awstats exploit that was used here makes use of poorly written perl that failed to validate user input.

WTF is so hard with validating user input?? Never heard of CPAN [cpan.org]?

Of course, had you read the article, you would know that.

Of course, I had so much time during that minute between posting the story and posting my comment, riiight...

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11610514)

WTF is so hard with validating user input?

Ask the awstats people that. It still has absolutely nothing to do with PHP.

Of course, I had so much time during that minute between posting the story and posting my comment, riiight...

Which is why it would, uh, have made sense for you to post your comment a little later, like for example after reading the article. That would make you look a bit less like a blathering fanboy who can barely stop drooling long enough to type, and a bit more like, if not quite a member of the human race, then at least a primate. Well, a mammal.

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11610667)

I know you are but what am I?

Re:Meanwhile (1)

DikSeaCup (767041) | more than 9 years ago | (#11609499)

Of course your comment about "poorly written perl" could be more general.

As an IT professional, it puts me in a constant state of amazement when I hear about yet another buffer overrun.

Lies, damn lies, pure fud (0)

Anonymous Coward | more than 9 years ago | (#11609548)

Of course your comment about "poorly written perl" could be more general. As an IT professional, it puts me in a constant state of amazement when I hear about yet another buffer overrun.

OK, smartass, show me just ONE example of buffer overrun in Perl. Just ONE. Put it up or shut up!

Re:Lies, damn lies, pure fud (0)

Anonymous Coward | more than 9 years ago | (#11609830)



http://www.auscert.org.au/render.html?it=1887

Re:Lies, damn lies, pure fud (0)

Anonymous Coward | more than 9 years ago | (#11610626)

I was asking about perl, not suidperl! Suidperl is not only an independent program but has been deprecated for years. Also, a NINE YEARS OLD VULNERABILITY??? WTF! Couldn't you possibly find anything even LESS relevant? I doubt it!

Re:Lies, damn lies, pure fud (1)

Haeleth (414428) | more than 9 years ago | (#11610614)

OK, smartass, show me just ONE example of buffer overrun in Perl. Just ONE. Put it up or shut up!

Okay, smartarse, show me just ONE SENTENCE in his post where he made any comment that implys that Perl is given to buffer overflows.

No, tell you what, I'll save you the trouble:
Of course your comment about "poorly written perl" could be more general. As an IT professional, it puts me in a constant state of amazement when I hear about yet another buffer overrun.
Since you appear to be unable to parse this perfectly straightforward English correctly, I'll explain: "Your comment could be more general" means "bad code is written in other languages as well as Perl". The reference to buffer overruns is an example of a form of bad code that is common in these more general cases.

Re:Lies, damn lies, pure fud (0)

Anonymous Coward | more than 9 years ago | (#11610731)

I am also unable to parse a slightly less perfectly straightforward English...

Syntax error: implys

Sorry. Couldn't read any further.

Re:Meanwhile (3, Insightful)

wizbit (122290) | more than 9 years ago | (#11609555)

It's not a buffer overflow, it's poor use of the open command in perl and hideously bad security practice to allow that command's arguments to a) contain practically any arbitrary value, and furthermore b) be passed from any browser that can find the script location. But this is why we chroot jail CGI scripts and avoid stupid use of system calls.

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11609585)

It's not a buffer overflow, it's poor use of the open command in perl and hideously bad security practice to allow that command's arguments to a) contain practically any arbitrary value, and furthermore b) be passed from any browser that can find the script location.

It's not a bad practice of perl persay.
Anyone worth his salt in gold will:

1. Always use taint mode in CGI scripts
2. USe 3-argument open()
3. Therefore be safe

Your point again?

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11610772)

That's per se, not persay.

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11610888)

That's per se, not persay.

That's "That's," not "That's."

Re:Meanwhile (1)

DikSeaCup (767041) | more than 9 years ago | (#11609598)

Didn't mean to imply that it was a buffer overrun, just that there's a lot of code out there that can be considered "poorly written".

Course, I shouldn't really knock it - I'm not a programmer (I just make things go).

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11609699)

Didn't mean to imply that it was a buffer overrun,

But you did.

just that there's a lot of code out there that can be considered "poorly written".

How do you know if you don;t even know what stack smashing is (hint: buffer overflow does not have to be exploitable) or how Perl scalar strings work for that matter?

[of] Course, I shouldn't really knock it -

Fair enough.

I'm not a programmer

It shows.

(I just make things go).

Yeah, right.

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11610286)

He didn't imply that this was a buffer overrun, you read too much into his comment. You are insulting him for a number of shortcomings that aren't apparent from his comments. Do you know him personally, or are you just an arsehole?

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11610476)

LOL! An AC defenfing the honour of a slashdotter? Stop talking about yourself in 3rd person, DikSeaCup!

Re:Meanwhile (2, Informative)

JFitzsimmons (764599) | more than 9 years ago | (#11609536)

Pfft... it says right in the slashdot summary that the cause of the security flaw was AWStats, not the forums themself (or the php language itself, which far too many people have needless grudges against). I assure you, there are plenty of secure php pages out there, and plenty of insecure perl pages out there. It depends on the coder.

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11610530)

...and AWStats is written in Perl...

Re:Meanwhile (0)

Anonymous Coward | more than 9 years ago | (#11610156)

And whilst the awstats exploit was out for nearly two weeks, you have to wonder why they didnt patch theirs.... Its their OWN fault!

Not phpBB -- Just their server. (4, Informative)

Ahnteis (746045) | more than 9 years ago | (#11609339)

It's sad that most sites are posting this with a headline that seems to indicate that phpBB is the problem. The SERVER was hacked through OTHER software, not phpBB. (I know I was worried about my sites until I read the article.)

Re:Not phpBB -- Just their server. (0)

Anonymous Coward | more than 9 years ago | (#11610202)

Although one can't help wondering about karma.

when the most recent PHPBB2 flaw was being used to deface sites their initial response was to tell people that the defacements were due to similarly timed PHP bugs, not their code.

Whilst I'd not want to see anybody compromised the headline in this case is ironic, rather than unfortunate.

Re:Not phpBB -- Just their server. (0)

Anonymous Coward | more than 9 years ago | (#11614914)

Doesn't exactly engender a lot of faith in their software, though..

Worms then.... (1, Interesting)

djsmiley (752149) | more than 9 years ago | (#11609596)

I wonder how long until a worm comes out to take advantage of this....

its always interested me, from the time my works php site was over run via a googling worm.
And how you always hear that it takes xhrs after a flaw is found, for someone to start using it.

That's why I never use (0)

Anonymous Coward | more than 9 years ago | (#11609641)

mod_php.o in httpd.conf even if preinstalled - just comment it out and everything runs faster with smaller memory foot print - a win-win scenario for me.

Re:That's why I never use (0)

Anonymous Coward | more than 9 years ago | (#11609813)

Try reading the summary, dumbass. The hole was in a perl script, not php.

[tt] Learn how to patch! (1)

CodeRed (5676) | more than 9 years ago | (#11610027)

If they would have properly managed their systems, none of this would have happened.

They had it coming (0)

Anonymous Coward | more than 9 years ago | (#11610093)

If anyone is frivolous enough to still use php when there is rock solid perl 5.8.6 available then one is basically asking to be rooted if you ask me.

Re:They had it coming (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11610796)

Did you even read the article? They exploited AWStats, a Perl script.

Re:They had it coming (0)

Anonymous Coward | more than 9 years ago | (#11615241)

Did you even read the article?

You must be new here.

Many vulnerable AWStats sites on google (2, Informative)

lhaeh (463179) | more than 9 years ago | (#11610305)

A coursoury check of google [google.com] suggests that there are many people who haven't patched yet: it lists the version number at the bottom of the statistics page.

AWStats is a very popular tool, google returns likely 4,490 users. This could be as bad as one of the old ISS vulnerabilities. With any luck, the publicity generated by incidents like this one will be a warning to those still running vulnerable version.

Re:Many vulnerable AWStats sites on google (1)

javaguy (67183) | more than 9 years ago | (#11625237)

"This could be as bad as one of the old ISS vulnerabilities. "

What's wrong with the International Space Station? ;)

The new 'underbelly' of IT.... (1)

TeeJS (618313) | more than 9 years ago | (#11610511)

and open source in particular will be keeping up with all of the known holes and their fixes. I subscribe to three different security announcement listserves, and I still didn't hear about a patch for Mambo OS until I went to the forums looking for an answer on a stupid question. If I hadn't gone to the forums (I don't too often) I'd still be unpatched.

I'm not sure what the answer is, but with the diversity in my network I could spend a whole day each week looking for issues on the services I run...

Re:The new 'underbelly' of IT.... (1)

macdaddy (38372) | more than 9 years ago | (#11612505)

This is why I subscribe to the announcement list of all major software packages I use. Or, alternately, I subscribe to the security bulletin list if they offer one. I also chastise the authors when they abuse the announcement list for something that's not an announcement. Yes, it's their list and their software, but they are greatly damaging their program's viability in a security conscious market by making it harder to get timely security bulletins. I don't sort announcement list mail either, or if I do post process it, I'll archive a copy in it's own directory and keep a copy in my regular inbox so I have to see it. It works for me. I've managed to keep up with all the systems I've managed and I haven't been hacked yet (knock on wood VERY loudly). I won't say that it's been easy though. It's just part of the job. The important thing here is to make sure this everyday piece of your job isn't overlooked by management. "Oh, he spends half his day surfing the web and reading email. He's not doing anything important." Right... Nothing important. :-)

How long (0)

Anonymous Coward | more than 9 years ago | (#11610560)

before people fibally get it that php is not for secure production mission critical environment? Another exploit, big deal. Just use secure [perl.org] software [slashdot.org] and get over it. Jeez.

Good point (0)

Anonymous Coward | more than 9 years ago | (#11610826)

How long before people finally get it that php is not for secure production mission critical environment? Another exploit, big deal. Just use secure [python.org] software [perl.org] and get over it. Jeez.

Very good point. Unfortunately, there are literally tons of php fanboys always trying to force their little toy upon our throughts, even though /. itself is php-free, lol.

How long (1)

Anonymous Coward | more than 9 years ago | (#11613415)

before people finally understand that web developers shouldn't be writing code in any languages lower level than javascript? The security of production mission critical systems shouldn't be put into the hands of Dreamweaver jockeys.

Re:How long (0)

Anonymous Coward | more than 9 years ago | (#11617662)

Try reading the summary, and then the article if you still don't have a clue.

The exploit was the result of a poorly coded perl script. It had nothing to do with php.

What's the big deal? (0)

Anonymous Coward | more than 9 years ago | (#11610858)

Yet another hole in a blog toy php system: film at 11. Booooooriiiiing.

Re:What's the big deal? (0)

Anonymous Coward | more than 9 years ago | (#11612938)

The bug was in AWStats, which is a Perl script you dumbass. If you had bothered to read the article you would have known that.

Re:What's the big deal? (0)

Anonymous Coward | more than 9 years ago | (#11615203)

... you dumbass. If you had bothered to read the article ...

You must be new here.

Fucking Rediculious (1)

Surye (580125) | more than 9 years ago | (#11614583)

After reading nearly 10 "OMFG HAHAH PHP IS TEH SUCK" comments on a story about a mature perl script with a bug makes me sick. I swear, /. is getting worse. Not that the headline is helping the missleading thoughts...

*shakes head* (2, Insightful)

Malek the Damned (694215) | more than 9 years ago | (#11616326)

I'm not sure whether it's hilarious or very, very sad that this is just turning into a huge "php sucks, ha ha, use perl instead you n00bs" thread.

It's actually throwing a bad light on perl developers (and I am one, so I'm not flaming here) that they can't even be bothered reading even the _summary_ and see it was the perl function open() in AWstats that got used to exploit the server, not a php script.

Personally, I code in perl and php. I use whichever's right for the task, and like 'em both.

Oh, and I code my perl and php in Dreamweaver MX, too. Under Wine.

*cue flaming*

OMG! (0)

Anonymous Coward | more than 9 years ago | (#11618390)

A website got defaced?! Amazing! /sarcasm

I always figured /. was a news portal, not a security mailing list. Stuff like this happens all the time, why is this one news? Because a semi-popular site was defaced, even though it's content was unrelated to the hole? I mean, with any malicious exploit that get's used before a patch is made, there are victims. Nothing new here. The parent isn't even worth the bandwidth it used.

Bah humbug.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...