This queue is for tickets about the mod_perl CPAN distribution.

Report information
The Basics
Id:
126984
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
ppisar [...] redhat.com
Cc:
AdminCc:

BugTracker
Severity:
Important
Broken in:
2.0.10
Fixed in:
(no value)



Subject: [ CVE-2011-2767] Arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
There is a vulnerability in mod_perl (tested with 2.0.10) that allows an ordinar user to execute any arbitrary code in the httpd process with the credentials of the https process owner by injecting a <Perl> section into his (=user's) .htaccess file. For example this code in ~/public_html/.htaccess: <Perl> warn "HIT"; </Perl> appends following line into /var/log/httpd/error_log: HIT at /home/test/public_html/.htaccess line 2. Debian tracks this vulnerability <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169> since 2011-10-03 but. This vulnerability was assigned CVE-2011-2767 identifier. The Debian bug report also provides a fix <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169#19>. The fix restricts the <Perl> section to server configuration scope only. This is in line with mod_perl documentation <http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location>.
On Wed Aug 29 07:23:27 2018, ppisar wrote:
Show quoted text
> There is a vulnerability in mod_perl (tested with 2.0.10) that allows > an ordinar user to execute any arbitrary code in the httpd process > with the credentials of the https process owner by injecting a <Perl> > section into his (=user's) .htaccess file. > > For example this code in ~/public_html/.htaccess: > > <Perl> > warn "HIT"; > </Perl> > > appends following line into /var/log/httpd/error_log: > > HIT at /home/test/public_html/.htaccess line 2. > > Debian tracks this vulnerability <https://bugs.debian.org/cgi- > bin/bugreport.cgi?bug=644169> since 2011-10-03 but. This vulnerability > was assigned CVE-2011-2767 identifier. The Debian bug report also > provides a fix <https://bugs.debian.org/cgi- > bin/bugreport.cgi?bug=644169#19>. The fix restricts the <Perl> section > to server configuration scope only. This is in line with mod_perl > documentation > <http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location>.
Thanks for the report. The patch cited above has now been committed in rev. 1867470, which will be in the forthcoming mod_perl-2.0.11.


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.