[SECURITY] [CVE-2009-0796] Vulnerability found in Apache::Status and

[SECURITY] [CVE-2009-0796] Vulnerability found in Apache::Status and

am 01.04.2009 23:58:12 von Fred Moyer

mod_perl lists,

A specific vulnerability [CVE-2009-0795] in Apache::Status and
Apache2::Status has been discovered which may affect the security of
your mod_perl installation. Running Apache::Status on a public server
with no protection has always been a bad idea though, vulnerability or
not.

The mod_perl1 and mod_perl2 codebases have been updated to protect
against this vulnerability, but your existing server may be
vulnerable. To secure your mod_perl server from this vulnerability,
we recommend that you disallow access to Apache::Status and
Apache2::Status resources (usually located at /perl-status) from
untrusted hosts.

Q: How do I know if my installation is vulnerable?

A: If you have enabled the Apache::Status or Apache2::Status modules
in your httpd.conf, your installation may be vulnerable. See the
following links for details on what constitutes potentially vulnerable
httpd.conf directives.

http://perl.apache.org/docs/1.0/api/Apache/Status.html#Descr iption
http://perl.apache.org/docs/2.0/api/Apache2/Status.html#Desc ription

If you have a directive in your httpd.conf,
your installation is likely vulnerable.

Q: What steps do I take to secure my mod_perl installation?

A: Disallow access from certain clients to your status url (example
/perl-status) in your httpd.conf file.

mod_perl1 example:


Order deny,allow
Deny from all
Allow from 127.0.0.1
SetHandler perl-script
PerlHandler Apache::Status



mod_perl2 example:


Order deny,allow
Deny from all
Allow from 127.0.0.1
SetHandler perl-script
PerlResponseHandler Apache2::Status

Re: [SECURITY] [CVE-2009-0796] Vulnerability found in Apache::Status

am 08.04.2009 03:56:45 von Fred Moyer

Update - I fat fingered the CVE number in this email body previously
(but it was correct in the subject).

The correct vulnerability reference number is CVE-2009-0796.

On Wed, Apr 1, 2009 at 2:58 PM, Fred Moyer wrote:
> mod_perl lists,
>
> A specific vulnerability [CVE-2009-0795] in Apache::Status and
> Apache2::Status has been discovered which may affect the security of
> your mod_perl installation. =A0Running Apache::Status on a public server
> with no protection has always been a bad idea though, vulnerability or
> not.
>
> The mod_perl1 and mod_perl2 codebases have been updated to protect
> against this vulnerability, but your existing server may be
> vulnerable. =A0To secure your mod_perl server from this vulnerability,
> we recommend that you disallow access to Apache::Status and
> Apache2::Status resources (usually located at /perl-status) from
> untrusted hosts.
>
> Q: =A0How do I know if my installation is vulnerable?
>
> A: =A0If you have enabled the Apache::Status or Apache2::Status modules
> in your httpd.conf, your installation may be vulnerable. =A0See the
> following links for details on what constitutes potentially vulnerable
> httpd.conf directives.
>
> http://perl.apache.org/docs/1.0/api/Apache/Status.html#Descr iption
> http://perl.apache.org/docs/2.0/api/Apache2/Status.html#Desc ription
>
> If you have a directive in your httpd.conf,
> your installation is likely vulnerable.
>
> Q: =A0What steps do I take to secure my mod_perl installation?
>
> A: =A0Disallow access from certain clients to your status url (example
> /perl-status) in your httpd.conf file.
>
> mod_perl1 example:
>
>
> =A0 Order deny,allow
> =A0 Deny from all
> =A0 Allow from 127.0.0.1
> =A0 SetHandler =A0perl-script
> =A0 PerlHandler Apache::Status
>
>
>
> mod_perl2 example:
>
>
> =A0 Order deny,allow
> =A0 Deny from all
> =A0 Allow from 127.0.0.1
> =A0 SetHandler =A0perl-script
> =A0 PerlResponseHandler Apache2::Status
>
>