PDA

View Full Version : Apache Code execution when using insecure HTTP Config



fb1h2s
07-24-2014, 09:21 PM
The following code belong to Apache http.config file. This config given below is used to configure perl cgi on apache for a particular directory. But this config is flawed and could create a series of security issues. I have seen this config in a lot of online tutorials and people been blindly following this settings. We have a daily security challenge going on our facebook page and I posted this issue over there:

https://www.facebook.com/Garage4Hackers/photos/a.291740437511056.78570.138904662794635/832071583477936/?type=1

[Buggy Config ]


PerlSetEnv scriptLoc /var/www/scripts/
Alias /var/www/scripts/ /var/code/scripts
<Location /var/www/scripts/>
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlSendHeader On
allow from all
</Location>

What sethandler does when placed into an .htaccess file or a <Directory> or <Location> section is, this directive forces all matching files to be parsed through the handler given by handler-name. So in our case the handler will make any files kept in the script directory to be parsed as perl. In that case rahul.jpeg, sasi.txt or sasi.pl.tx will all be treated as a perl script. This bug could be combined with any file write vulnerability to have a code execution.


http://httpd.apache.org/docs/2.2/mod/core.html#sethandler

The right configuration should be Addhandler, and explicitly specifying what file extension should be treated as perl code. http://httpd.apache.org/docs/2.2/mod/mod_mime.html#addhandler

AddHandler perl-script .pl

Regards,
Rahul Sasi