Vulnerability

    Apache::ASP

Affected

    Apache::ASP prior to v1.95

Description

    Joshua Chamas found following.  Apache::ASP had a security hole in
    its ./site/eg/source.asp  distribution examples  file, allowing  a
    malicious hacker to  potentially write to  files in the  directory
    local to the source.asp example script.

    The next version of Apache::ASP v1.95 going to CPAN will not  have
    this  security  hole  in  its  example  ./site/eg/source.asp   The
    general CHANGES for this release is below.

    The original report  on a similar  perl open() bug  was at ZDNet's
    eWeek where a hacking contest  at openhack.com turned up a  bug on
    its minivend ecommerce software.  For minivend, see:

        http://oliver.efri.hr/~crv/security/bugs/Others/minivend.html

Solution

    Until you  have the  latest examples,  it is  recommended deleting
    this  source.asp  file  from  any  public  web  server  that   has
    Apache::ASP installed on it. 1.95 fixed this.