https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Bug ID: 1623265 Summary: CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: lpardo@redhat.com CC: hhorak@redhat.com, jkaluza@redhat.com, jorton@redhat.com, perl-devel@lists.fedoraproject.org, perl-maint-list@redhat.com, ppisar@redhat.com
A flaw was found in mod_perl 2.0 through 2.0.10 which allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1623268, 1623267, 1623269
--- Comment #1 from Laura Pardo lpardo@redhat.com --- Created mod_perl tracking bugs for this issue:
Affects: epel-7 [bug 1623268] Affects: fedora-all [bug 1623267]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1623267 [Bug 1623267] CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1623268 [Bug 1623268] CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1623271
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #3 from Petr Pisar ppisar@redhat.com --- Reproducer:
(1) Enable user's ~/public_html directories in httpd configuration (add "UserDir public_html" directive to /etc/httpd/conf.d/userdir.conf) and enable httpd_enable_homedirs SELinux boolean.
(2) Add to ~/public_html/.htaccess: <Perl> warn "HIT"; </Perl>
(3) Request <http://localhost/~<USER>/> document.
(4) Check /var/log/httpd/error_log for Perl's "HIT" warning message, e.g. # tail -n 1 error_log HIT at /home/test/public_html/.htaccess line 2.
A <USER> can write any arbitrary text to /var/log/httpd/error_log.
Proposed fix:
The <Perl> section should not be supported in .htaccess files at all as is documented in http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location. A fix proposed at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169#19 does that.
This a bug in mod_perl implementation. This not about missing or malfunctioning "PerlOption -Sections" directive. This is about <Perl> sections being erroneously processed in <Directory>, <Location>, <Files> section, and .htaccess files.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |CPAN 126984
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Scott Gayou sgayou@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2011 |impact=moderate,public=2011 |1003,reported=20180826,sour |1003,reported=20180826,sour |ce=cve,cvss3=7.3/CVSS:3.0/A |ce=cve,cvss3=7.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:L/A:L,cwe=CWE-266,fedora- |I:L/A:L,cwe=CWE-266,fedora- |all/mod_perl=affected,epel- |all/mod_perl=affected,epel- |7/mod_perl=affected,rhel-5/ |7/mod_perl=affected,rhel-5/ |mod_perl=new,rhel-6/mod_per |mod_perl=new,rhel-6/mod_per |l=new,rhel-8/mod_perl=affec |l=affected,rhel-8/mod_perl= |ted,rhscl-3/rh-perl524-mod_ |affected,rhscl-3/rh-perl524 |perl=new,rhscl-3/rh-perl526 |-mod_perl=new,rhscl-3/rh-pe |-mod_perl=new |rl526-mod_perl=new
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Scott Gayou sgayou@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |high Whiteboard|impact=moderate,public=2011 |impact=important,public=201 |1003,reported=20180826,sour |11003,reported=20180826,sou |ce=cve,cvss3=7.3/CVSS:3.0/A |rce=cve,cvss3=6.3/CVSS:3.0/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |AV:N/AC:L/PR:L/UI:N/S:U/C:L |I:L/A:L,cwe=CWE-266,fedora- |/I:L/A:L,cwe=CWE-266,fedora |all/mod_perl=affected,epel- |-all/mod_perl=affected,epel |7/mod_perl=affected,rhel-5/ |-7/mod_perl=affected,rhel-5 |mod_perl=new,rhel-6/mod_per |/mod_perl=new,rhel-6/mod_pe |l=affected,rhel-8/mod_perl= |rl=affected,rhel-8/mod_perl |affected,rhscl-3/rh-perl524 |=affected,rhscl-3/rh-perl52 |-mod_perl=new,rhscl-3/rh-pe |4-mod_perl=new,rhscl-3/rh-p |rl526-mod_perl=new |erl526-mod_perl=new Severity|medium |high
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Scott Gayou sgayou@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |11003,reported=20180826,sou |11003,reported=20180826,sou |rce=cve,cvss3=6.3/CVSS:3.0/ |rce=cve,cvss3=6.3/CVSS:3.0/ |AV:N/AC:L/PR:L/UI:N/S:U/C:L |AV:N/AC:L/PR:L/UI:N/S:U/C:L |/I:L/A:L,cwe=CWE-266,fedora |/I:L/A:L,cwe=CWE-266,fedora |-all/mod_perl=affected,epel |-all/mod_perl=affected,epel |-7/mod_perl=affected,rhel-5 |-7/mod_perl=affected,rhel-5 |/mod_perl=new,rhel-6/mod_pe |/mod_perl=wontfix,rhel-6/mo |rl=affected,rhel-8/mod_perl |d_perl=affected,rhel-8/mod_ |=affected,rhscl-3/rh-perl52 |perl=affected,rhscl-3/rh-pe |4-mod_perl=new,rhscl-3/rh-p |rl524-mod_perl=new,rhscl-3/ |erl526-mod_perl=new |rh-perl526-mod_perl=new
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Scott Gayou sgayou@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |11003,reported=20180826,sou |11003,reported=20180826,sou |rce=cve,cvss3=6.3/CVSS:3.0/ |rce=cve,cvss3=6.3/CVSS:3.0/ |AV:N/AC:L/PR:L/UI:N/S:U/C:L |AV:N/AC:L/PR:L/UI:N/S:U/C:L |/I:L/A:L,cwe=CWE-266,fedora |/I:L/A:L,cwe=CWE-266,fedora |-all/mod_perl=affected,epel |-all/mod_perl=affected,epel |-7/mod_perl=affected,rhel-5 |-7/mod_perl=affected,rhel-5 |/mod_perl=wontfix,rhel-6/mo |/mod_perl=wontfix,rhel-6/mo |d_perl=affected,rhel-8/mod_ |d_perl=affected,rhel-8/mod_ |perl=affected,rhscl-3/rh-pe |perl=affected,rhscl-3/rh-pe |rl524-mod_perl=new,rhscl-3/ |rl524-mod_perl=affected,rhs |rh-perl526-mod_perl=new |cl-3/rh-perl526-mod_perl=af | |fected
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Scott Gayou sgayou@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1626276, 1626273, 1626274, | |1626275, 1626272
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Scott Gayou sgayou@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |11003,reported=20180826,sou |11003,reported=20180826,sou |rce=cve,cvss3=6.3/CVSS:3.0/ |rce=cve,cvss3=6.3/CVSS:3.0/ |AV:N/AC:L/PR:L/UI:N/S:U/C:L |AV:N/AC:L/PR:L/UI:N/S:U/C:L |/I:L/A:L,cwe=CWE-266,fedora |/I:L/A:L,cwe=CWE-266,mitiga |-all/mod_perl=affected,epel |te=selinux,fedora-all/mod_p |-7/mod_perl=affected,rhel-5 |erl=affected,epel-7/mod_per |/mod_perl=wontfix,rhel-6/mo |l=affected,rhel-5/mod_perl= |d_perl=affected,rhel-8/mod_ |wontfix,rhel-6/mod_perl=aff |perl=affected,rhscl-3/rh-pe |ected,rhel-8/mod_perl=affec |rl524-mod_perl=affected,rhs |ted,rhscl-3/rh-perl524-mod_ |cl-3/rh-perl526-mod_perl=af |perl=affected,rhscl-3/rh-pe |fected |rl526-mod_perl=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #6 from Scott Gayou sgayou@redhat.com --- Thanks for the reproduction notes ppisar. Quite easy to reproduce and gain code execution as the apache process. As a note, SELinux does technically mitigate this in that the UserDir functionality will not work without specific selinux booleans (httpd_enable_homedirs and perhaps httpd_read_user_content). However, it is unlikely that anyone would enable UserDir and not set the corresponding selinux flags as the functionality would obviously not work until the booleans are set.
Seems like this flaw could impact shared hosting the most.
My guess is that a good mitigation now is to disable UserDir functionality and potentially .htaccess processing via AllowOverride None.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #7 from Scott Gayou sgayou@redhat.com --- Mitigation:
Disabling the UserDir directive and also setting AllowOverride None should mitigate the processing of perl in user .htaccess files.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #8 from Scott Gayou sgayou@redhat.com --- Mitigation:
Disabling the UserDir directive and also setting AllowOverride None should prevent the processing of perl in user .htaccess files.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #9 from Scott Gayou sgayou@redhat.com --- Statement:
The default configurations shipped in Red Hat Enterprise Linux 6 and Red Hat Software Collections are not vulnerable to to this flaw. The UserDir option needs to be enabled as well as AllowOverride being set to values other than "None" for this to potentially pose a threat.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #10 from Fedora Update System updates@fedoraproject.org --- mod_perl-2.0.10-9.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #11 from Fedora Update System updates@fedoraproject.org --- mod_perl-2.0.10-11.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #12 from Fedora Update System updates@fedoraproject.org --- mod_perl-2.0.10-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #13 from Fedora Update System updates@fedoraproject.org --- mod_perl-2.0.10-13.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #15 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
Via RHSA-2018:2825 https://access.redhat.com/errata/RHSA-2018:2825
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:2825
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #16 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
Via RHSA-2018:2826 https://access.redhat.com/errata/RHSA-2018:2826
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:2826
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2018-09-27 06:57:57
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
--- Comment #14 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2018:2737 https://access.redhat.com/errata/RHSA-2018:2737
https://bugzilla.redhat.com/show_bug.cgi?id=1623265
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:2737
https://bugzilla.redhat.com/show_bug.cgi?id=1623265 Bug 1623265 depends on bug 1623267, which changed state.
Bug 1623267 Summary: CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1623267
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1623265 Bug 1623265 depends on bug 1623268, which changed state.
Bug 1623268 Summary: CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1623268
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
perl-devel@lists.fedoraproject.org