Security Advisories (12)

CPANSA-Mojolicious-2015-01 (2015-02-02)

Directory traversal on Windows

CPANSA-Mojolicious-2014-01 (2014-10-07)

Context sensitivity of method param could lead to parameter injection attacks.

https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

CVE-2011-1841 (2011-03-10)

Mojolicious is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by link_to helper. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2011-1589 (2011-04-05)

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

CVE-2011-1841 (2011-05-03)

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CPANSA-Mojolicious-2022-03 (2022-12-10)

Mojo::DOM did not correctly parse <script> tags.

CPANSA-Mojolicious-2021-02 (2021-06-01)

Small sessions could be used as part of a brute-force attack to decode the session secret.

https://github.com/mojolicious/mojo/pull/1791

CVE-2021-47208 (2021-03-16)

A bug in format detection can potentially be exploited for a DoS attack.

CPANSA-Mojolicious-2018-03 (2018-05-19)

Mojo::UserAgent was not checking peer SSL certificates by default.

CPANSA-Mojolicious-2018-02 (2018-05-11)

GET requests with embedded backslashes can be used to access local files on Windows hosts

CVE-2018-25100 (2018-02-13)

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NAME

Mojolicious::Guides::FAQ - Frequently Asked Questions

OVERVIEW

This document contains the most frequently asked questions about Mojolicious together with the right answers.

QUESTIONS

Does Mojolicious run on Windows systems?

Sure it does! Right now there are two different ways of running Perl on the Windows platform. One is Strawberry Perl and the other is ActiveState Perl. Both are capable Perl distributions which are stable, mature and ready for production. But Strawberry Perl is quite a bit better at dealing with the CPAN and especially XS based modules due to its remarkable toolchain. With it you can even install modules straight from the source as you would do on a Unix based machine.

Is it possible to run the builtin webserver on Windows?

It is! The builtin webserver is great way to run your Mojolicious web application on any platform. See Mojolicious::Guides::Cookbook for more information about running and deploying Mojolicious applications.

Note that if you run your application with the --reload option Windows will lock your files. A simple Windows editor like WordPad will complain that the file has already been opened by a different proccess. More capable editors can handle this accordingly and force the change.

Whats the easiest way to install Mojolicious on UNIX?

Quite possibly this oneliner.

sudo -s 'curl -L cpanmin.us | perl - "Mojolicious"'

I think Mojolicious is awesome, how can i support you guys?

Share your success story via blog or twitter, get more people hooked! :)

I think i have found a bug, what should i do now?

Prepare a test case demonstrating the bug, you are not expected to fix it yourself, but you'll have to make sure the developers can replicate your problem. Sending in your whole application generally does more harm than good, the t directory of this distribution has many good examples for how to do it right. Writing a test is usually the hardest part of fixing a bug, so the better your test case the faster it can be fixed. ;)

Once thats done you can contact the developers via GitHub (http://github.com/kraih/mojo), mailing list (http://groups.google.com/group/mojolicious) or IRC (#mojo on irc.perl.org).

If you decide to fix the bug yourself make sure to also take a look at Mojolicious::Guides::CodingGuidelines.

To install Mojolicious, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Mojolicious

CPAN shell

perl -MCPAN -e shell
install Mojolicious

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)