Skip Menu |

This queue is for tickets about the mod_perl CPAN distribution.

Report information
The Basics
Id: 126984
Status: resolved
Priority: 0/
Queue: mod_perl
People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 2.0.10
Fixed in: (no value)

History Show all quoted text
  Wed Aug 29 07:23:27 2018 ppisar [...] redhat.com - Ticket created
Subject: [ CVE-2011-2767] Arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
There is a vulnerability in mod_perl (tested with 2.0.10) that allows an ordinar user to execute any arbitrary code in the httpd process with the credentials of the https process owner by injecting a <Perl> section into his (=user's) .htaccess file. For example this code in ~/public_html/.htaccess: <Perl> warn "HIT"; </Perl> appends following line into /var/log/httpd/error_log: HIT at /home/test/public_html/.htaccess line 2. Debian tracks this vulnerability <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169> since 2011-10-03 but. This vulnerability was assigned CVE-2011-2767 identifier. The Debian bug report also provides a fix <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169#19>. The fix restricts the <Perl> section to server configuration scope only. This is in line with mod_perl documentation <http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location>.
  Tue Sep 24 12:32:29 2019 shay [...] cpan.org - Correspondence added
On Wed Aug 29 07:23:27 2018, ppisar wrote: Show quoted text
> There is a vulnerability in mod_perl (tested with 2.0.10) that allows > an ordinar user to execute any arbitrary code in the httpd process > with the credentials of the https process owner by injecting a <Perl> > section into his (=user's) .htaccess file. > > For example this code in ~/public_html/.htaccess: > > <Perl> > warn "HIT"; > </Perl> > > appends following line into /var/log/httpd/error_log: > > HIT at /home/test/public_html/.htaccess line 2. > > Debian tracks this vulnerability <https://bugs.debian.org/cgi- > bin/bugreport.cgi?bug=644169> since 2011-10-03 but. This vulnerability > was assigned CVE-2011-2767 identifier. The Debian bug report also > provides a fix <https://bugs.debian.org/cgi- > bin/bugreport.cgi?bug=644169#19>. The fix restricts the <Perl> section > to server configuration scope only. This is in line with mod_perl > documentation > <http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location>.
Thanks for the report. The patch cited above has now been committed in rev. 1867470, which will be in the forthcoming mod_perl-2.0.11.
  Tue Sep 24 12:32:30 2019 The RT System itself - Status changed from 'new' to 'open'
  Tue Sep 24 12:32:30 2019 shay [...] cpan.org - Status changed from 'open' to 'resolved'