CVE-2011-2767: Code Injection
First published: Sun Aug 26 2018(Updated: )
A flaw was found in mod_perl 2.0 through 2.0.10 which allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes. References: <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169</a>
Credit: security@debian.org security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Mod Perl | >=2.0.0<=2.0.10 | |
| Debian Debian Linux | =8.0 | |
| Redhat Enterprise Linux | =7.4 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux | =6.7 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux | =7.3 | |
| Redhat Enterprise Linux | =7.5 | |
| Redhat Enterprise Linux | =7.6 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =18.10 | |
| debian/libapache2-mod-perl2 | 2.0.11-4 2.0.12-1 2.0.13-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E
- https://bugs.debian.org/644169
- https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html
- https://access.redhat.com/errata/RHSA-2018:2737
- https://access.redhat.com/errata/RHSA-2018:2826
- https://access.redhat.com/errata/RHSA-2018:2825
- http://www.securityfocus.com/bid/105195
- https://usn.ubuntu.com/3825-1/
- https://usn.ubuntu.com/3825-2/
- https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d@%3Cmodperl-cvs.perl.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html
- https://launchpad.net/bugs/cve/CVE-2011-2767
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1623268
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1623267
- http://localhost/
- http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169#19
- https://bugzilla.redhat.com/show_bug.cgi?id=1623265
- https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3E
- https://rt.cpan.org/Public/Bug/Display.html?id=126984
- https://bugzilla.redhat.com/show_bug.cgi?id=1623265#c3
- https://security-tracker.debian.org/tracker/CVE-2011-2767
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2767
- https://nvd.nist.gov/vuln/detail/CVE-2011-2767
- https://ubuntu.com/security/CVE-2011-2767
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2767
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/description
- agent/severity
- agent/weakness
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/apache
- canonical/apache mod perl
- version/apache mod perl/2.0.0
- version/apache mod perl/2.0.10
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.4
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/6.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux/6.7
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux/7.3
- version/redhat enterprise linux/7.5
- version/redhat enterprise linux/7.6
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/18.10
- package-manager/debian