oss-sec mailing list archives
CVE Request: Storable::thaw called on cookie data in multiple CPAN modules
From: John Lightsey <john () nixnuts net>
Date: Sun, 12 May 2013 21:38:58 -0500
Hi everyone, Several CPAN modules follow the same pattern of calling Storable::thaw() on session data stored client side with no signature verification mechanisms in place to prevent tampering. Perl's Storable module was recently documented as being unsafe for use with untrusted inputs: http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e The vulnerable modules are: Both App::Session::Cookie and App::Session::HTMLHidden in the App::Context bundle. https://rt.cpan.org/Ticket/Display.html?id=85215 HTML::EP::Session::Cookie in the HTML::EP bundle. https://rt.cpan.org/Ticket/Display.html?id=85216 Spoon::Cookie in the Spoon bundle. https://rt.cpan.org/Ticket/Display.html?id=85217
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: Storable::thaw called on cookie data in multiple CPAN modules John Lightsey (May 12)
- Re: CVE Request: Storable::thaw called on cookie data in multiple CPAN modules Kurt Seifried (May 14)