[Bug 1623265] New: CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess

[bugzilla]

https://bugzilla.redhat.com/show_bug.cgi?id=1623265

            Bug ID: 1623265
           Summary: CVE-2011-2767 mod_perl: arbitrary Perl code execution
                    in the context of the user account via a user-owned
                    .htaccess
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-t...@redhat.com
          Reporter: lpa...@redhat.com
                CC: hho...@redhat.com, jkal...@redhat.com,
                    jor...@redhat.com, perl-devel@lists.fedoraproject.org,
                    perl-maint-l...@redhat.com, ppi...@redhat.com



A flaw was found in mod_perl 2.0 through 2.0.10 which allows attackers to
execute arbitrary Perl code by placing it in a user-owned .htaccess file,
because (contrary to the documentation) there is no configuration option that
permits Perl code for the administrator's control of HTTP request processing
without also permitting unprivileged users to run Perl code in the context of
the user account that runs Apache HTTP Server processes.


References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org