Bugtraq mailing list archives

Re: Hijacking Apache 2 via mod_perl

From: Ben Laurie <ben () algroup co uk>
Date: Thu, 22 Jan 2004 15:53:01 +0000

Steve Grubb wrote:

Product:         mod_perl
Versions:        1.99_09 / apache 2.0.47
URL:             http://perl.apache.org
Impact:          Daemon Hijacking
Bug class:       Leaked Descriptor
Vendor notified: Yes
Fix available:   No
Date:            01/21/04

Issue:

======
Mod_perl under apache 2.0.x leaks critical file descriptors that can be used to takeover (hijack) the http and https 
services.

This is not a leak - mod_perl is a module that is compiled into Apache,and hence has access to all its resources (including memory). If youwant to run untrusted Perl, then don't use mod_perl.


Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Current thread:

Hijacking Apache 2 via mod_perl Steve Grubb (Jan 21)
- Re: Hijacking Apache 2 via mod_perl Ben Laurie (Jan 22)
  - Re[2]: Hijacking Apache 2 via mod_perl 3APA3A (Jan 22)
    - Re: Hijacking Apache 2 via mod_perl Ben Laurie (Jan 22)
    - Re: Hijacking Apache 2 via mod_perl André Malo (Jan 22)
    - Re: Hijacking Apache 2 via mod_perl Steve G (Jan 22)
    - Re: Hijacking Apache 2 via mod_perl jon schatz (Jan 23)
    - Re: Hijacking Apache 2 via mod_perl Matthew Wakeling (Jan 24)
    - Re: Re[2]: Hijacking Apache 2 via mod_perl Steve G (Jan 22)
- Re: Hijacking Apache 2 via mod_perl Lupe Christoph (Jan 22)