Perl Jam
2015-01-08 02:22:10.524989+01 by Dan Lyke 0 comments
Whoah: Perl Jam: Exploiting a 20 year old vulnerability.
The short version: $cgi->param(...) can return an array. Nothing you didn't know there. Here's the scary bit:
$dbh->quote(...) can take an additional type argument, which will make it skip quoting(!).
This means instant SQL injection vulnerability for code which does $dbh->quote($cgi->param(...)).
Gulp.
Flutterby code has been patched, will push