View Full Version : Apache Code execution when using insecure HTTP Config

07-24-2014, 09:21 PM
The following code belong to Apache http.config file. This config given below is used to configure perl cgi on apache for a particular directory. But this config is flawed and could create a series of security issues. I have seen this config in a lot of online tutorials and people been blindly following this settings. We have a daily security challenge going on our facebook page and I posted this issue over there:


[Buggy Config ]

PerlSetEnv scriptLoc /var/www/scripts/
Alias /var/www/scripts/ /var/code/scripts
<Location /var/www/scripts/>
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlSendHeader On
allow from all

What sethandler does when placed into an .htaccess file or a <Directory> or <Location> section is, this directive forces all matching files to be parsed through the handler given by handler-name. So in our case the handler will make any files kept in the script directory to be parsed as perl. In that case rahul.jpeg, sasi.txt or sasi.pl.tx will all be treated as a perl script. This bug could be combined with any file write vulnerability to have a code execution.


The right configuration should be Addhandler, and explicitly specifying what file extension should be treated as perl code. http://httpd.apache.org/docs/2.2/mod/mod_mime.html#addhandler

AddHandler perl-script .pl

Rahul Sasi