ID CVE-2011-2767
Summary mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
References
Vulnerable Configurations
  • Apache Software Foundation mod_perl 2.0.0
    cpe:2.3:a:apache:mod_perl:2.0.0
  • Apache Software Foundation mod_perl 2.0.1
    cpe:2.3:a:apache:mod_perl:2.0.1
  • Apache Software Foundation mod_perl 2.0.2
    cpe:2.3:a:apache:mod_perl:2.0.2
  • Apache Software Foundation mod_perl 2.0.3
    cpe:2.3:a:apache:mod_perl:2.0.3
  • Apache Software Foundation mod_perl 2.0.4
    cpe:2.3:a:apache:mod_perl:2.0.4
  • Apache Software Foundation mod_perl 2.0.5
    cpe:2.3:a:apache:mod_perl:2.0.5
  • Apache Software Foundation mod_perl 2.0.6
    cpe:2.3:a:apache:mod_perl:2.0.6
  • Apache Software Foundation mod_perl 2.0.7
    cpe:2.3:a:apache:mod_perl:2.0.7
  • Apache Software Foundation mod_perl 2.0.8
    cpe:2.3:a:apache:mod_perl:2.0.8
  • Apache Software Foundation mod_perl 2.0.9
    cpe:2.3:a:apache:mod_perl:2.0.9
  • Apache Software Foundation mod_perl 2.0.10
    cpe:2.3:a:apache:mod_perl:2.0.10
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Red Hat Enterprise Linux 6.0
    cpe:2.3:o:redhat:enterprise_linux:6.0
  • Red Hat Enterprise Linux 6.7
    cpe:2.3:o:redhat:enterprise_linux:6.7
  • Red Hat Enterprise Linux (RHEL) 7.0 (7)
    cpe:2.3:o:redhat:enterprise_linux:7.0
  • Red Hat Enterprise Linux 7.3
    cpe:2.3:o:redhat:enterprise_linux:7.3
  • Red Hat Enterprise Linux 7.4
    cpe:2.3:o:redhat:enterprise_linux:7.4
  • Red Hat Enterprise Linux 7.5
    cpe:2.3:o:redhat:enterprise_linux:7.5
  • Red Hat Enterprise Linux 7.6
    cpe:2.3:o:redhat:enterprise_linux:7.6
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • Canonical Ubuntu Linux 12.04 ESM (Extended Security Maintenance)
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:esm
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.10
    cpe:2.3:o:canonical:ubuntu_linux:18.10
CVSS
Base: 10.0
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-F6A5B71464.NASL
    description This release fixes CVE-2011-2767 vulnerability (an arbitrary Perl code execution in the context of the httpd server) by disabling sections in non-server-level configuration. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 120916
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120916
    title Fedora 29 : mod_perl (2018-f6a5b71464)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-0DDEF94854.NASL
    description This release fixes CVE-2011-2767 vulnerability (an arbitrary Perl code execution in the context of the httpd server) by disabling sections in non-server-level configuration. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 120232
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120232
    title Fedora 28 : mod_perl (2018-0ddef94854)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-A94668408D.NASL
    description This release fixes CVE-2011-2767 vulnerability (an arbitrary Perl code execution in the context of the httpd server) by disabling sections in non-server-level configuration. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 117374
    published 2018-09-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117374
    title Fedora 27 : mod_perl (2018-a94668408d)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-2737.NASL
    description From Red Hat Security Advisory 2018:2737 : An update for mod_perl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mod_perl incorporates a Perl interpreter into the Apache web server, such that the Apache HTTP server can directly execute Perl code. Security Fix(es) : * mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess (CVE-2011-2767) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 117679
    published 2018-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117679
    title Oracle Linux 6 : mod_perl (ELSA-2018-2737)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3825-1.NASL
    description Jan Ingvoldstad discovered that mod_perl incorrectly handled configuration options to disable being used by unprivileged users, contrary to the documentation. A local attacker could possibly use this issue to execute arbitrary Perl code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 119118
    published 2018-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119118
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libapache2-mod-perl2 vulnerability (USN-3825-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1085.NASL
    description mod_perl allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.(CVE-2011-2767)
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 117922
    published 2018-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117922
    title Amazon Linux AMI : mod_perl / mod24_perl (ALAS-2018-1085)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-2737.NASL
    description An update for mod_perl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mod_perl incorporates a Perl interpreter into the Apache web server, such that the Apache HTTP server can directly execute Perl code. Security Fix(es) : * mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess (CVE-2011-2767) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 117828
    published 2018-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117828
    title CentOS 6 : mod_perl (CESA-2018:2737)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2737.NASL
    description An update for mod_perl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Mod_perl incorporates a Perl interpreter into the Apache web server, such that the Apache HTTP server can directly execute Perl code. Security Fix(es) : * mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess (CVE-2011-2767) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 117681
    published 2018-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117681
    title RHEL 6 : mod_perl (RHSA-2018:2737)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180924_MOD_PERL_ON_SL6_X.NASL
    description Security Fix(es) : - mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess (CVE-2011-2767)
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 117682
    published 2018-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117682
    title Scientific Linux Security Update : mod_perl on SL6.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1507.NASL
    description Jan Ingvoldstad discovered that libapache2-mod-perl2 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes. For Debian 8 'Jessie', this problem has been fixed in version 2.0.9~1624218-2+deb8u3. We recommend that you upgrade your libapache2-mod-perl2 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 117593
    published 2018-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117593
    title Debian DLA-1507-1 : libapache2-mod-perl2 security update
redhat via4
advisories
  • bugzilla
    id 1623265
    title CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment mod_perl is earlier than 0:2.0.4-12.el6_10
          oval oval:com.redhat.rhsa:tst:20182737007
        • comment mod_perl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20182737008
      • AND
        • comment mod_perl-devel is earlier than 0:2.0.4-12.el6_10
          oval oval:com.redhat.rhsa:tst:20182737005
        • comment mod_perl-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20182737006
    rhsa
    id RHSA-2018:2737
    released 2018-09-24
    severity Important
    title RHSA-2018:2737: mod_perl security update (Important)
  • rhsa
    id RHSA-2018:2825
  • rhsa
    id RHSA-2018:2826
rpms
  • mod_perl-0:2.0.4-12.el6_10
  • mod_perl-devel-0:2.0.4-12.el6_10
refmap via4
bid 105195
misc
mlist [debian-lts-announce] 20180918 [SECURITY] [DLA 1507-1] libapache2-mod-perl2 security update
ubuntu
  • USN-3825-1
  • USN-3825-2
Last major update 26-08-2018 - 12:29
Published 26-08-2018 - 12:29
Last modified 22-04-2019 - 13:48
Back to Top