[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hijacking Apache 2 via mod_perl
Steve G wrote:
Then one just writes a perl extension in C. Who's responsible
But don't you need root to add extentions?
Who's responsible if you just write a C module which hijacks the
Again, you need an admin to update apache's config.
you need an admin to update the config file if you're trying to use the
LoadModule directive. but if mod_perl's already running (and if
.htaccess files aren't locked down enough), you can use the SetHandler
to load up any (malicous) modules you might need. afaik, loading a
module once in mod_perl will make it available to every child process.
if i've been reading this thread right (and there's a good chance i
haven't) then this would give EvilModule.pm access to the leaked fd's.
(i haven't tested this for httpd2/mod_perl2, but i know it holds true
for httpd1.3.x/mod_perl, and the new docs don't indicate any changes).
jon@xxxxxxxxxxxxxxxxxx || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus? www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."