I dunno - I wouldn't even give it that much credit. That's like saying that
you wrote an extension for SSH (say in C), which forks the process write
after it listens, and installs a keysniffer on ssh. Is that a bug? Not
IMHO... Because only a server admin can really do it - it's more
"installing stupid software" than a bug on the original SSH package...
Here too, it's the same effect. mod_perl is for writing extensions for
Apache. Certainly something malicious can be installed, but only with
root's permission (if the server's running on privaleged ports anyway). I
hardly see how that can be called a bug . To me that's like hearing "Well,
since using the new filter chain, you can put a protocol filter between
mod_ssl and the normal request handling chain, that must be a vulnerability
in Apache/mod_ssl".
Just my $0.02...
Isssac
----- Original Message -----
From: "Stas Bekman" <[EMAIL PROTECTED]>
To: "Lupe Christoph" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, January 22, 2004 11:26 AM
Subject: Re: FWD: [EMAIL PROTECTED]: Hijacking Apache 2 via mod_perl]
> Lupe Christoph wrote:
> > Hi!
> >
> > This was on BUGTRAQ last night. Since I've not seen anything from this
> > guy on the mod_perl mailing list, I thought I'd forward it.
>
> > Somebody should reply to BUGTRAQ. Probably that this is an old version,
> > that people who want to be secure should not use Beta software, and that
> > it's been fixed for a long time.
>
> Thanks Luke.
>
> First of all, I fail to see what it has to do with mod_perl, besides that
the
> guy is using perl to write an exploit. You will have the same problem with
a
> cgi script, written in any language and run under mod_cgi, same probably
with
> mod_php, tcl and the rest of the extensions.
>
> I've tried to reproduce this report under mod_perl and lo and behold his
> exploit fails to even start because I'm always running under -T:
>
> Exploit installed
> Server error!
>
> Error message:
> Insecure $ENV{PATH} while running setgid at
/home/httpd/2.0/perl/owned.pl
> line 13.
>
> After fixing that $ENV{PATH] issue, I couldn't get the exploit to work
(with
> httpd-2.0.49-dev) I haven't tested it with 2.0.48.
>
> Apache starts as root but them immediately drops the root priviledges and
does
> not run its child processes as root. So if the server was started as root
via:
>
> /usr/sbin/httpd2 -k start
>
> I fail to see how a child process which is not root (usually 'nobody') can
> succeeed to run:
>
> system '/usr/sbin/httpd2 -k stop';
>
> unless given special permissions, which would be a security problem in the
> setup, not Apache. Or is this something special to the Mandrake setup,
which I
> don't know about? I use Mandrake 9.2, but I don't use any prebuilt
apache/mp
> packages.
>
> If you try to reproduce this exploit be advised that the exploit code
won't
> run as is, it misses a bunch of closing } brackets. and you need to adjust
> /usr/sbin/httpd2 to point to where your httpd is. I suppose this is done
on
> purpose, to prevent from those who don't know perl run it?
>
> __________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide ---> http://perl.apache.org
> mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
> http://modperlbook.org http://apache.org http://ticketmaster.com
>
>
> --
> Reporting bugs: http://perl.apache.org/bugs/
> Mail list info: http://perl.apache.org/maillist/modperl.html
> List etiquette: http://perl.apache.org/maillist/email-etiquette.html
>
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
