REDHAT-BUG-1623265
First published: Tue Aug 28 2018(Updated: )
A flaw was found in mod_perl 2.0 through 2.0.10 which allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes. References: <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache mod_perl | >=2.0<=2.0.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1623268
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1623267
- http://localhost/
- http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169#19
- https://access.redhat.com/errata/RHSA-2018:2737
- https://access.redhat.com/errata/RHSA-2018:2825
- https://access.redhat.com/errata/RHSA-2018:2826
- https://bugzilla.redhat.com/show_bug.cgi?id=1623265
- agent/references
- agent/type
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2767
- agent/first-publish-date
- agent/source
- agent/severity
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache mod_perl