CVE-2011-2767
published 2018-08-26CVE-2011-2767: mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
8.95%
94.6th percentile
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | mod_perl | 2.0.0 – 2.0.10 | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | libapache2-mod-perl2 | < libapache2-mod-perl2 2.0.10-3 (bookworm) | libapache2-mod-perl2 2.0.10-3 (bookworm) |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unexpected Perl code execution warnings in the Apache error log originating from user-owned .htaccess files (e.g., paths under ~/public_html/.htaccess) ↗
- →Exploitation requires UserDir to be enabled (e.g., 'UserDir public_html') and AllowOverride set to a value other than 'None'; monitor httpd configuration for these settings in combination with mod_perl 2.0–2.0.10 ↗
- →On SELinux systems, exploitation also requires the httpd_enable_homedirs (and possibly httpd_read_user_content) boolean to be set; alert on these booleans being enabled alongside mod_perl ↗
- →The attack vector is placing arbitrary Perl code inside a user-owned .htaccess file; monitor for writes to .htaccess files in UserDir-served directories ↗
- →Sections in .htaccess files are the root cause; monitor for Perl section directives (e.g., <Perl>) appearing in .htaccess files processed by mod_perl ↗
- ·Vulnerability only manifests when UserDir is enabled AND AllowOverride is set to a value other than 'None'; default RHEL 6 and RHSC configurations are NOT vulnerable out of the box ↗
- ·Mitigation: disable the UserDir directive and set AllowOverride None to prevent Perl execution from user .htaccess files ↗
- ·SELinux provides partial mitigation: UserDir functionality will not work without httpd_enable_homedirs (and possibly httpd_read_user_content) booleans being set, but operators enabling UserDir will typically set these booleans anyway ↗
- ·Affects mod_perl versions 2.0 through 2.0.10; fixed in Debian/Ubuntu at version 2.0.10-3 and in RHEL 6 via RHSA-2018:2737 ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hm7f-5jxx-cwvg: mod_perl 2
ghsa_unreviewed·2022-05-13
CVE-2011-2767 [CRITICAL] CWE-94 GHSA-hm7f-5jxx-cwvg: mod_perl 2
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
OSV
CVE-2011-2767: mod_perl 2
osv·2018-08-26·CVSS 9.8
CVE-2011-2767 [CRITICAL] CVE-2011-2767: mod_perl 2
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
Ubuntu
mod_perl vulnerability
vendor_ubuntu·2018-11-22
CVE-2011-2767 mod_perl vulnerability
Title: mod_perl vulnerability
Summary: mod_perl could be made to run programs contrary to expectations.
USN-3825-1 fixed a vulnerability in mod_perl. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Jan Ingvoldstad discovered that mod_perl incorrectly handled configuration
options to disable being used by unprivileged users, contrary to the
documentation. A local attacker could possibly use this issue to execute
arbitrary Perl code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
mod_perl vulnerability
vendor_ubuntu·2018-11-21
CVE-2011-2767 mod_perl vulnerability
Title: mod_perl vulnerability
Summary: mod_perl could be made to run programs contrary to expectations.
Jan Ingvoldstad discovered that mod_perl incorrectly handled configuration
options to disable being used by unprivileged users, contrary to the
documentation. A local attacker could possibly use this issue to execute
arbitrary Perl code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
vendor_redhat·2011-10-03·CVSS 9.8
CVE-2011-2767 [CRITICAL] CWE-266 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
Statement: The default configurations shipped in Red Hat Enterprise Linux 6 and Red Hat Software Collections are not vulnerable to to this flaw. The UserDir option needs to be enabled as well as AllowOverride being set to values other than "None" for this to potentially pose a threat
Debian
CVE-2011-2767: libapache2-mod-perl2 - mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by p...
vendor_debian·2011·CVSS 9.8
CVE-2011-2767 [CRITICAL] CVE-2011-2767: libapache2-mod-perl2 - mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by p...
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
Scope: local
bookworm: resolved (fixed in 2.0.10-3)
bullseye: resolved (fixed in 2.0.10-3)
forky: resolved (fixed in 2.0.10-3)
sid: resolved (fixed in 2.0.10-3)
trixie: resolved (fixed in 2.0.10-3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
bugzilla·2018-08-28·CVSS 9.8
CVE-2011-2767 [CRITICAL] CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
A flaw was found in mod_perl 2.0 through 2.0.10 which allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
Discussion:
Created mod_perl tracking bugs for this issue:
Affects: epel-7 [bug 1623268]
Affects: fedora-all [bug 1623267]
---
Reproducer:
(1) Enable user's ~/public_ht
Bugzilla
CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [fedora-all]
bugzilla·2018-08-28·CVSS 9.8
CVE-2011-2767 [CRITICAL] CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [fedora-all]
CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
N
Bugzilla
CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [epel-7]
bugzilla·2018-08-28·CVSS 9.8
CVE-2011-2767 [CRITICAL] CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [epel-7]
CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussi
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.htmlhttp://www.securityfocus.com/bid/105195https://access.redhat.com/errata/RHSA-2018:2737https://access.redhat.com/errata/RHSA-2018:2825https://access.redhat.com/errata/RHSA-2018:2826https://bugs.debian.org/644169https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2018/09/msg00018.htmlhttps://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3Ehttps://usn.ubuntu.com/3825-1/https://usn.ubuntu.com/3825-2/http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.htmlhttp://www.securityfocus.com/bid/105195https://access.redhat.com/errata/RHSA-2018:2737https://access.redhat.com/errata/RHSA-2018:2825https://access.redhat.com/errata/RHSA-2018:2826https://bugs.debian.org/644169https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2018/09/msg00018.htmlhttps://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3Ehttps://usn.ubuntu.com/3825-1/https://usn.ubuntu.com/3825-2/
2018-08-26
Published