Hi!
This was on BUGTRAQ last night. Since I've not seen anything from this guy on the mod_perl mailing list, I thought I'd forward it.
Somebody should reply to BUGTRAQ. Probably that this is an old version, that people who want to be secure should not use Beta software, and that it's been fixed for a long time.
Thanks Luke.
First of all, I fail to see what it has to do with mod_perl, besides that the guy is using perl to write an exploit. You will have the same problem with a cgi script, written in any language and run under mod_cgi, same probably with mod_php, tcl and the rest of the extensions.
I've tried to reproduce this report under mod_perl and lo and behold his exploit fails to even start because I'm always running under -T:
Exploit installed Server error!
Error message:
Insecure $ENV{PATH} while running setgid at /home/httpd/2.0/perl/owned.pl line 13.
After fixing that $ENV{PATH] issue, I couldn't get the exploit to work (with httpd-2.0.49-dev) I haven't tested it with 2.0.48.
Apache starts as root but them immediately drops the root priviledges and does not run its child processes as root. So if the server was started as root via:
/usr/sbin/httpd2 -k start
I fail to see how a child process which is not root (usually 'nobody') can succeeed to run:
system '/usr/sbin/httpd2 -k stop';
unless given special permissions, which would be a security problem in the setup, not Apache. Or is this something special to the Mandrake setup, which I don't know about? I use Mandrake 9.2, but I don't use any prebuilt apache/mp packages.
If you try to reproduce this exploit be advised that the exploit code won't run as is, it misses a bunch of closing } brackets. and you need to adjust /usr/sbin/httpd2 to point to where your httpd is. I suppose this is done on purpose, to prevent from those who don't know perl run it?
__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
-- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
