Forum Thread: ActivePerl 5.x & PopFile

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
ActiveState
And, this specific program:
ActivePerl 5.x

This thread has been marked as locked.
Twoko ActivePerl 5.x & PopFile
Member 27th Nov, 2008 12:52
Ranking: 0
Posts: 4
User Since: 27th Nov, 2008
System Score: N/A
Location: N/A
PSI scan is warning that ActivePerl 5.x is a potyential threat (level 4). Updating does not appear to cure. Perl.exe is used in PopFile, of which I have the latest release, and it also appears that the latest version of Perle is used there, too. At this point I don't see that I have any alternative but to continue with what I have, but I'm not sure what the potential dangers are in doing that.

Does anyone have any advice?

BigDave_39 RE: ActivePerl 5.x & PopFile
Member 27th Nov, 2008 18:02
Score: 0
Posts: 177
User Since: 26th Nov 2008
System Score: N/A
Location: Washington, DC, US
on 27th Nov, 2008 12:52, Twoko wrote:
PSI scan is warning that ActivePerl 5.x is a potyential threat (level 4). Updating does not appear to cure. Perl.exe is used in PopFile, of which I have the latest release, and it also appears that the latest version of Perle is used there, too. At this point I don't see that I have any alternative but to continue with what I have, but I'm not sure what the potential dangers are in doing that.

Does anyone have any advice?


I can't really give you an advice on how to secure this. But I would complain to the vendor of popfile for not updating the insecure version of Perl that they apparently distribute with their software.

--
Big Dave
Was this reply relevant?
+0
-0
Twoko RE: ActivePerl 5.x & PopFile
Member 28th Nov, 2008 19:05
Score: 0
Posts: 4
User Since: 27th Nov 2008
System Score: N/A
Location: N/A
But they are using the latest version. - Or at least it certainly looks like it... Does that mean that ActivePerle is not secure? (I'm not even sure what it is, or what it's for.)
Was this reply relevant?
+0
-0
BigDave_39 RE: ActivePerl 5.x & PopFile
Member 28th Nov, 2008 19:07
Score: 0
Posts: 177
User Since: 26th Nov 2008
System Score: N/A
Location: Washington, DC, US
on 28th Nov, 2008 19:05, Twoko wrote:
But they are using the latest version. - Or at least it certainly looks like it... Does that mean that ActivePerle is not secure? (I'm not even sure what it is, or what it's for.)


I guess it does mean that it is insecure.

Could you copy and paste the path to where the psi detected this copy of ActivePerle?

--
Big Dave
Was this reply relevant?
+0
-0
Twoko RE: ActivePerl 5.x & PopFile
Member 28th Nov, 2008 19:30
Score: 0
Posts: 4
User Since: 27th Nov 2008
System Score: N/A
Location: N/A
D:\Program Files\POPFile\POPFile\Perle.exe

PopFile is an e-mail spam filter I've been using for years, which is just brilliant!
Was this reply relevant?
+0
-0
BigDave_39 RE: ActivePerl 5.x & PopFile
Member 28th Nov, 2008 19:40
Score: 0
Posts: 177
User Since: 26th Nov 2008
System Score: N/A
Location: Washington, DC, US
on 28th Nov, 2008 19:30, Twoko wrote:
PopFile is an e-mail spam filter I've been using for years, which is just brilliant!


I haven't heard of popfile before, but it looks very interesting, I think I will give it a closer look, thanks! :o)


on 28th Nov, 2008 19:30, Twoko wrote:
D:\Program Files\POPFile\POPFile\Perle.exe


It seems as if popfile ships with a copy of perl included, it is likely that this is insecure.. But I doubt that it poses a big problem.. perhaps you can just ignore it? Still though, I would let the popfile guys know about it, either way I think that they should update this file.

--
Big Dave
Was this reply relevant?
+0
-0
This user no longer exists RE: ActivePerl 5.x & PopFile
Member 29th Nov, 2008 10:15
I don't use PopFile but I do use Pop Peeper that does not exhibit a vulnerability:
http://www.poppeeper.com
Was this reply relevant?
+0
-0
txwizard RE: ActivePerl 5.x & PopFile
Member 2nd Dec, 2008 04:24
Score: 0
Posts: 2
User Since: 2nd Dec 2008
System Score: N/A
Location: N/A
Last edited on 2nd Dec, 2008 05:25
ActivePerl is the predominant Windows distribution of the Perl scripting language. Unfortunately, the information provided by the PSI is a bit vague. However, it's possible that any installation of Perl would be considered insecure, because of several theoretically exploitable functions, such as its printf() function.

However, since it is my understanding that printf() is exploitable only if it is fed a token for formatting a floating point number, unless you are in the habit of allowing unknown Perl scripts to run, you are probably safe enough in respect to printf(). The mere presence of a Perl interpreter poses other threats, too, because a Perl script can make system calls, and can call into the Windows API. However, since I am unaware of any way for a Perl script to run without permission, except, perhaps, in the sand box created by the Windows Scripting Host, I am not too concerned about it.

Since Perl is a scriting language, any regular Perl script that came to me would be in the form of plain text, which I may freely examine before I execute it.

Generally speaking, I consider my Perl installation to be as safe as, for example, my installation of the Windows Scripting Host (CSCRIPT.EXE and WSCRIPT.EXE).

After I wrote the initial version of this post, I went back to PSI, and discovered that there was a link to a new distribution, ActivePerl 5.6.1.638, which cleared the security alert. My installation was 5.6.1.633 (5 more recent build increments). You might want to check with the developers of your PopFile add-in, and see whether you can upgrade your Perl installation without breaking PopFile. I wouldn't upgrade without first checking with them, because there may be breaking changes in build 638.
Was this reply relevant?
+0
-0
Twoko RE: ActivePerl 5.x & PopFile
Member 2nd Dec, 2008 11:29
Score: 0
Posts: 4
User Since: 27th Nov 2008
System Score: N/A
Location: N/A
Thank you for the detailed explanation! - I have just run another PSI scan and the Perle warning has cleared..!
Was this reply relevant?
+0
-0

This thread has been marked as locked.