On Wed 01 Apr 2009, Geoffrey Young wrote: > Torsten Foertsch wrote: > > On Mon 23 Mar 2009, Philippe M. Chiasson wrote: > >>> almost a month ago there was this posting on the users list > >>> > >>> > >>> http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170 > >>> > >>> stating there was a security related bug in modperl. > >>> > >>> Since then there were no svn updated touching the code. I'd like > >>> to know if my servers are secure. So, where can I get more > >>> information about the bug to perhaps help to fix it? > >>> > >>> Who knows more about the bug, please issue a statement if it is a > >>> bug or not. If it is but nobody has the resources to fix it, > >>> please let me know (privately) what it is. If I can I'll do it > >>> then. > >> > >> AFAIK, the original submitter didn't follow up and explain what > >> the potential security problem was. He was told to contact > >> secur...@apache.org, but I haven't heard anything from them. > > > > Just FYI, the bug is a simple cross site scripting thing in > > Apache2::Status (and probably in mp1's Apache::Status as well) > > just for clarification, do you know this because he contacted you > directly? or are you on secur...@a.o. I can't see any further > discussion of it in the archives, but I'm not on security@ so I don't > know what goes on there.
No, I am not on secur...@a.o. I have seen his announce about the problem on the users list on 01.03.09. That is now a month ago. 3 weeks later (21.03.09) I asked here on the dev list if anybody knows anything about the bug because I couldn't see any change in the code. So, it was clearly not fixed yet. The original submitter answered privately that it was something to do with perl_status. Further, Gozer replied that either nothing has appeared on secur...@a.o or he was not contacted about the bug by them. Anyway, I do not think that a security bug floating around in the wild for almost a month is a good thing. So, I inspected the code and found that $r->uri was written unaltered to links in the output. So any path_info goes there as well. Then I asked the original submitter if it was this and he confirmed it. After finding out what the problem is I asked Gozer on 23.03.09 privately and described the problem because of his first mail about not hearing from secur...@a.o. In this mail I asked him: On Mon 23 Mar 2009, Torsten Foertsch wrote: > What will we do about it? I think we need to issue a statement: "do > not use Apache::Status on a publicly accessible web server". I don't > think anyone in a proper state of mind does that. But leaving a mail > like this unanswered is not good. But unfortunately got no answer. I hope you understand, there is a security bug and it seems nobody cares for a month! So, in the end I fixed it, asked the original submitter if the patch cures the problem, got his confirmation and went public. I know I haven't handled the issue the best way. But I didn't know how else. Nobody answered my mails, nobody did nothing. Except for the submitter. Torsten -- Need professional mod_perl support? Just hire me: torsten.foert...@gmx.net --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org For additional commands, e-mail: dev-h...@perl.apache.org
