I just caught this going by in the daily CPAN update.

[9.] Security-Test - Performs checks for common Perl insecurities
 Uploaded: Sep 06, 2001
 CPAN id: N/NW/NWETTERS (Nigel Wetters)
          http://search.cpan.org/search?author=NWETTERS
 Package: Security-Test-0.01.tar.gz
          http://search.cpan.org/search?dist=Security-Test-0.01

What this module actually does is contacts a web server upon
installation and tells it what the UID that ran the test was (to see
if it's root).

It does *not* look like there is any malicious intent, just a little
overzealous.  I've contacted the author and asked him to voluntarily
delete this module and discuss the problem with [EMAIL PROTECTED]

    package Security::Test;

    # IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT  IMPORTANT  
    #
    # READ THIS BEFORE INSTALLING!!
    #
    # This module does nothing.
    #
    # The test module sends a HTTP request to
    # http://securitytest.perlfascist.com
    # which notes the number of attempted installations
    # and whether installation was performed
    # with superuser priviledges. The request is
    # formatted as follows:
    #   GET /YetAnotherFail?uid=$uid HTTP/1.1
    #   Host: securitytest.perlfascist.com
    # I will release details of this research
    # to CPAN maintainers, and maybe later will
    # post a summary on 
    # http://securitytest.perlfascist.com 


-- 

Michael G. Schwern   <[EMAIL PROTECTED]>    http://www.pobox.com/~schwern/
Perl6 Quality Assurance     <[EMAIL PROTECTED]>       Kwalitee Is Job One
The eye opening delightful morning taste of expired cheese bits in sour milk!

Reply via email to