cbcvebase.
CVE-2011-2767
published 2018-08-26

CVE-2011-2767: mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.95%
94.6th percentile
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.

Affected

18 ranges
VendorProductVersion rangeFixed in
apachemod_perl2.0.0 – 2.0.10
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianlibapache2-mod-perl2< libapache2-mod-perl2 2.0.10-3 (bookworm)libapache2-mod-perl2 2.0.10-3 (bookworm)
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation

Detection & IOCsextracted from sources · hover to see the quote

path~/public_html/.htaccess
path/var/log/httpd/error_log
  • Look for unexpected Perl code execution warnings in the Apache error log originating from user-owned .htaccess files (e.g., paths under ~/public_html/.htaccess)
  • Exploitation requires UserDir to be enabled (e.g., 'UserDir public_html') and AllowOverride set to a value other than 'None'; monitor httpd configuration for these settings in combination with mod_perl 2.0–2.0.10
  • On SELinux systems, exploitation also requires the httpd_enable_homedirs (and possibly httpd_read_user_content) boolean to be set; alert on these booleans being enabled alongside mod_perl
  • The attack vector is placing arbitrary Perl code inside a user-owned .htaccess file; monitor for writes to .htaccess files in UserDir-served directories
  • Sections in .htaccess files are the root cause; monitor for Perl section directives (e.g., <Perl>) appearing in .htaccess files processed by mod_perl
  • ·Vulnerability only manifests when UserDir is enabled AND AllowOverride is set to a value other than 'None'; default RHEL 6 and RHSC configurations are NOT vulnerable out of the box
  • ·Mitigation: disable the UserDir directive and set AllowOverride None to prevent Perl execution from user .htaccess files
  • ·SELinux provides partial mitigation: UserDir functionality will not work without httpd_enable_homedirs (and possibly httpd_read_user_content) booleans being set, but operators enabling UserDir will typically set these booleans anyway
  • ·Affects mod_perl versions 2.0 through 2.0.10; fixed in Debian/Ubuntu at version 2.0.10-3 and in RHEL 6 via RHSA-2018:2737

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.