On Thursday 29 March 2007 13:18, Peter Samuelson wrote: > Do you know the scope of the DoS - does it allow the attacker to kill > the process running the perl program, or exhaust your memory, or > what?
I haven't tested, since I have no systems that are vulnerable, but from the original problem report by Alex Solovey: If I have a PerlRun script, e.g., http://localhost/test/script, and call it using a URL with special symbols like '(' in path_info, PerlRun fails with server error. For example, calling http://localhost/test/script/( produces this error: [Thu Mar 22 10:24:57 2007] [error] Unmatched ( in regex; marked by <-- HERE in m//( <-- HERE $/ at /usr/local/lib/perl5/site_perl/5.8.8/mach/Apache/PerlRun.pm line 171. So, in most cases, it is an Internal Server Error, which, AFAIK does not kill the process, and will only affect the requesting client. The main fear among members of the mod_perl list was that it would be possible to inject a regular expression that would take forever to return, and possibly exhaust memory. Now, I think it is good practice to kill threads that run away, so a number of best practices should guard against this, but I guess it is legitimate to raise a security issue over the possibility of inserting an arbitrary regexp in an URL. Kjetil -- Kjetil Kjernsmo Information Systems Developer Opera Software ASA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]