Created mod_perl tracking bugs for this issue:

Affects: epel-7 [bug 1623268]
Affects: fedora-all [bug 1623267]

Reproducer:

(1) Enable user's ~/public_html directories in httpd configuration (add "UserDir public_html" directive to /etc/httpd/conf.d/userdir.conf) and enable httpd_enable_homedirs SELinux boolean.

(2) Add to ~/public_html/.htaccess:
<Perl>
warn "HIT";
</Perl>

(3) Request <http://localhost/~<USER>/> document.

(4) Check /var/log/httpd/error_log for Perl's "HIT" warning message, e.g.
# tail -n 1 error_log
HIT at /home/test/public_html/.htaccess line 2.

A <USER> can write any arbitrary text to /var/log/httpd/error_log.

Proposed fix:

The <Perl> section should not be supported in .htaccess files at all as is documented in <http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location>. A fix proposed at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169#19> does that.

This a bug in mod_perl implementation. This not about missing or malfunctioning "PerlOption -Sections" directive. This is about <Perl> sections being erroneously processed in <Directory>, <Location>, <Files> section, and .htaccess  files.

Thanks for the reproduction notes ppisar. Quite easy to reproduce and gain code execution as the apache process. As a note, SELinux does technically mitigate this in that the UserDir functionality will not work without specific selinux booleans (httpd_enable_homedirs and perhaps httpd_read_user_content). However, it is unlikely that anyone would enable UserDir and not set the corresponding selinux flags as the functionality would obviously not work until the booleans are set.

Seems like this flaw could impact shared hosting the most.

My guess is that a good mitigation now is to disable UserDir functionality and potentially .htaccess processing via AllowOverride None.

Mitigation:

Disabling the UserDir directive and also setting AllowOverride None should prevent the processing of perl in user .htaccess files.

Statement:

The default configurations shipped in Red Hat Enterprise Linux 6 and Red Hat Software Collections are not vulnerable to to this flaw.  The UserDir option needs to be enabled as well as AllowOverride being set to values other than "None" for this to potentially pose a threat.

mod_perl-2.0.10-9.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

mod_perl-2.0.10-11.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

mod_perl-2.0.10-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

mod_perl-2.0.10-13.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2737 https://access.redhat.com/errata/RHSA-2018:2737

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2825 https://access.redhat.com/errata/RHSA-2018:2825

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2826 https://access.redhat.com/errata/RHSA-2018:2826