|
|
Forum Thread: ActivePerl 5.x & PopFile
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.
This thread was submitted in the following forum:
Problems and Questions Regarding 3rd Party Programs
| Twoko
| ActivePerl 5.x & PopFile
|
|
|
by Twoko on 27th Nov, 2008 12:52
|
Posts: 4
User Since: 27th Nov, 2008
Secunia System Score: N/A
Location: N/A |
PSI scan is warning that ActivePerl 5.x is a potyential threat (level 4). Updating does not appear to cure. Perl.exe is used in PopFile, of which I have the latest release, and it also appears that the latest version of Perle is used there, too. At this point I don't see that I have any alternative but to continue with what I have, but I'm not sure what the potential dangers are in doing that.
Does anyone have any advice? |
|
|
| BigDave_39
| RE: ActivePerl 5.x & PopFile
|
|
|
by BigDave_39 on 27th Nov, 2008 18:02
|
Posts: 175
User Since: 26th Nov, 2008
Secunia System Score: N/A
Location: Washington, DC, US |
on 27th Nov, 2008 12:52, Twoko wrote:
PSI scan is warning that ActivePerl 5.x is a potyential threat (level 4). Updating does not appear to cure. Perl.exe is used in PopFile, of which I have the latest release, and it also appears that the latest version of Perle is used there, too. At this point I don't see that I have any alternative but to continue with what I have, but I'm not sure what the potential dangers are in doing that.
Does anyone have any advice?
I can't really give you an advice on how to secure this. But I would complain to the vendor of popfile for not updating the insecure version of Perl that they apparently distribute with their software.
--
Big Dave |
|
|
| Twoko
| RE: ActivePerl 5.x & PopFile
|
|
|
by Twoko on 28th Nov, 2008 19:05
|
Posts: 4
User Since: 27th Nov, 2008
Secunia System Score: N/A
Location: N/A |
But they are using the latest version. - Or at least it certainly looks like it... Does that mean that ActivePerle is not secure? (I'm not even sure what it is, or what it's for.) |
|
|
| BigDave_39
| RE: ActivePerl 5.x & PopFile
|
|
|
by BigDave_39 on 28th Nov, 2008 19:07
|
Posts: 175
User Since: 26th Nov, 2008
Secunia System Score: N/A
Location: Washington, DC, US |
on 28th Nov, 2008 19:05, Twoko wrote:
But they are using the latest version. - Or at least it certainly looks like it... Does that mean that ActivePerle is not secure? (I'm not even sure what it is, or what it's for.)
I guess it does mean that it is insecure.
Could you copy and paste the path to where the psi detected this copy of ActivePerle?
--
Big Dave |
|
|
| Twoko
| RE: ActivePerl 5.x & PopFile
|
|
|
by Twoko on 28th Nov, 2008 19:30
|
Posts: 4
User Since: 27th Nov, 2008
Secunia System Score: N/A
Location: N/A |
D:\Program Files\POPFile\POPFile\Perle.exe
PopFile is an e-mail spam filter I've been using for years, which is just brilliant!
|
|
|
| BigDave_39
| RE: ActivePerl 5.x & PopFile
|
|
|
by BigDave_39 on 28th Nov, 2008 19:40
|
Posts: 175
User Since: 26th Nov, 2008
Secunia System Score: N/A
Location: Washington, DC, US |
on 28th Nov, 2008 19:30, Twoko wrote:
PopFile is an e-mail spam filter I've been using for years, which is just brilliant!
I haven't heard of popfile before, but it looks very interesting, I think I will give it a closer look, thanks! :o)
on 28th Nov, 2008 19:30, Twoko wrote:
D:\Program Files\POPFile\POPFile\Perle.exe
It seems as if popfile ships with a copy of perl included, it is likely that this is insecure.. But I doubt that it poses a big problem.. perhaps you can just ignore it? Still though, I would let the popfile guys know about it, either way I think that they should update this file.
--
Big Dave |
|
|
| YoKenny
| RE: ActivePerl 5.x & PopFile
|
|
|
by YoKenny on 29th Nov, 2008 10:15
|
Posts: 306
User Since: 23rd Dec, 2007
Secunia System Score: 100%
Location: Ont. , CA |
I don't use PopFile but I do use Pop Peeper that does not exhibit a vulnerability:
http://www.poppeeper.com
--
1. Windows 7, 64bit, 4GB RAM, avast! V5 beta3, Browser Defender™
2. XP Pro SP3, 32bit, 768MB RAM, avast! V4.8 Pro, Browser Defender™
with IE8, MBAM, and WinPatrol PLUS |
|
|
| txwizard
| RE: ActivePerl 5.x & PopFile
|
|
|
by txwizard on 2nd Dec, 2008 04:24, last edited on 2nd Dec, 2008 04:24
|
Posts: 2
User Since: 2nd Dec, 2008
Secunia System Score: N/A
Location: N/A |
ActivePerl is the predominant Windows distribution of the Perl scripting language. Unfortunately, the information provided by the PSI is a bit vague. However, it's possible that any installation of Perl would be considered insecure, because of several theoretically exploitable functions, such as its printf() function.
However, since it is my understanding that printf() is exploitable only if it is fed a token for formatting a floating point number, unless you are in the habit of allowing unknown Perl scripts to run, you are probably safe enough in respect to printf(). The mere presence of a Perl interpreter poses other threats, too, because a Perl script can make system calls, and can call into the Windows API. However, since I am unaware of any way for a Perl script to run without permission, except, perhaps, in the sand box created by the Windows Scripting Host, I am not too concerned about it.
Since Perl is a scriting language, any regular Perl script that came to me would be in the form of plain text, which I may freely examine before I execute it.
Generally speaking, I consider my Perl installation to be as safe as, for example, my installation of the Windows Scripting Host (CSCRIPT.EXE and WSCRIPT.EXE).
After I wrote the initial version of this post, I went back to PSI, and discovered that there was a link to a new distribution, ActivePerl 5.6.1.638, which cleared the security alert. My installation was 5.6.1.633 (5 more recent build increments). You might want to check with the developers of your PopFile add-in, and see whether you can upgrade your Perl installation without breaking PopFile. I wouldn't upgrade without first checking with them, because there may be breaking changes in build 638. |
|
|
| Twoko
| RE: ActivePerl 5.x & PopFile
|
|
|
by Twoko on 2nd Dec, 2008 11:29
|
Posts: 4
User Since: 27th Nov, 2008
Secunia System Score: N/A
Location: N/A |
Thank you for the detailed explanation! - I have just run another PSI scan and the Perle warning has cleared..! |
|
|
|
