[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hijacking Apache 2 via mod_perl
Steve Grubb wrote:
Versions: 1.99_09 / apache 2.0.47
Impact: Daemon Hijacking
Bug class: Leaked Descriptor
Vendor notified: Yes
Fix available: No
Mod_perl under apache 2.0.x leaks critical file descriptors that can be used to takeover (hijack) the http and https services.
This is not a leak - mod_perl is a module that is compiled into Apache,
and hence has access to all its resources (including memory). If you
want to run untrusted Perl, then don't use mod_perl.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff