Bug 1623265 (CVE-2011-2767) - CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
Summary: CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the u...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2767
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1623267 1623268 1623269 1626272 1626273 1626274 1626275 1626276
Blocks: 1623271
TreeView+ depends on / blocked
 
Reported: 2018-08-28 20:53 UTC by Laura Pardo
Modified: 2019-09-29 14:57 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-27 10:57:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2737 None None None 2018-09-24 15:52:28 UTC
CPAN 126984 None None None 2018-08-29 11:23:51 UTC
Red Hat Product Errata RHSA-2018:2825 None None None 2018-09-27 10:41:31 UTC
Red Hat Product Errata RHSA-2018:2826 None None None 2018-09-27 10:52:39 UTC

Description Laura Pardo 2018-08-28 20:53:48 UTC
A flaw was found in mod_perl 2.0 through 2.0.10 which allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.


References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169

Comment 1 Laura Pardo 2018-08-28 20:55:04 UTC
Created mod_perl tracking bugs for this issue:

Affects: epel-7 [bug 1623268]
Affects: fedora-all [bug 1623267]

Comment 3 Petr Pisar 2018-08-29 10:43:25 UTC
Reproducer:

(1) Enable user's ~/public_html directories in httpd configuration (add "UserDir public_html" directive to /etc/httpd/conf.d/userdir.conf) and enable httpd_enable_homedirs SELinux boolean.

(2) Add to ~/public_html/.htaccess:
<Perl>
warn "HIT";
</Perl>

(3) Request <http://localhost/~<USER>/> document.

(4) Check /var/log/httpd/error_log for Perl's "HIT" warning message, e.g.
# tail -n 1 error_log
HIT at /home/test/public_html/.htaccess line 2.

A <USER> can write any arbitrary text to /var/log/httpd/error_log.

Proposed fix:

The <Perl> section should not be supported in .htaccess files at all as is documented in <http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location>. A fix proposed at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169#19> does that.

This a bug in mod_perl implementation. This not about missing or malfunctioning "PerlOption -Sections" directive. This is about <Perl> sections being erroneously processed in <Directory>, <Location>, <Files> section, and .htaccess  files.

Comment 6 Scott Gayou 2018-09-06 22:57:11 UTC
Thanks for the reproduction notes ppisar. Quite easy to reproduce and gain code execution as the apache process. As a note, SELinux does technically mitigate this in that the UserDir functionality will not work without specific selinux booleans (httpd_enable_homedirs and perhaps httpd_read_user_content). However, it is unlikely that anyone would enable UserDir and not set the corresponding selinux flags as the functionality would obviously not work until the booleans are set.

Seems like this flaw could impact shared hosting the most.

My guess is that a good mitigation now is to disable UserDir functionality and potentially .htaccess processing via AllowOverride None.

Comment 8 Scott Gayou 2018-09-06 23:07:23 UTC
Mitigation:

Disabling the UserDir directive and also setting AllowOverride None should prevent the processing of perl in user .htaccess files.

Comment 9 Scott Gayou 2018-09-06 23:11:47 UTC
Statement:

The default configurations shipped in Red Hat Enterprise Linux 6 and Red Hat Software Collections are not vulnerable to to this flaw.  The UserDir option needs to be enabled as well as AllowOverride being set to values other than "None" for this to potentially pose a threat.

Comment 10 Fedora Update System 2018-09-07 15:24:05 UTC
mod_perl-2.0.10-9.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2018-09-07 16:15:24 UTC
mod_perl-2.0.10-11.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2018-09-13 16:34:13 UTC
mod_perl-2.0.10-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2018-09-21 05:22:58 UTC
mod_perl-2.0.10-13.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 errata-xmlrpc 2018-09-24 15:52:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2737 https://access.redhat.com/errata/RHSA-2018:2737

Comment 15 errata-xmlrpc 2018-09-27 10:41:25 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2825 https://access.redhat.com/errata/RHSA-2018:2825

Comment 16 errata-xmlrpc 2018-09-27 10:52:32 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2826 https://access.redhat.com/errata/RHSA-2018:2826


Note You need to log in before you can comment on or make changes to this bug.