Bug#644169: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 26 15:26:09 BST 2018
Hi
Back in 2011 after this bug was reported, for the security implication
mentioned, CVE-2011-2767 was assigned. mod_perl checks .htaccess files
for <Perl> sections, and users allowed to write to .htaccess files can
run code as the user running the web server, leading to privilege
escalation.
This can be demonstrated in situations were both mod_perl and userdir
support would be enabled, or other setups potentially leading to full
root privilege escalation.
Jan, want to outline your finding in more detail? I just have
submitted the CVE itself to MITRE, as it was back then assigned from
the Debian pool.
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list