The following code belong to Apache http.config file. This config given below is used to configure perl cgi on apache for a particular directory. But this config is flawed and could create a series of security issues. I have seen this config in a lot of online tutorials and people been blindly following this settings. We have a daily security challenge going on our facebook page and I posted this issue over there:

[Buggy Config ]

PerlSetEnv scriptLoc /var/www/scripts/
Alias /var/www/scripts/ /var/code/scripts
<Location /var/www/scripts/>
  SetHandler perl-script
  PerlResponseHandler ModPerl::Registry
  Options +ExecCGI
  PerlSendHeader On
  allow from all
What sethandler does when placed into an .htaccess file or a <Directory> or <Location> section is, this directive forces all matching files to be parsed through the handler given by handler-name. So in our case the handler will make any files kept in the script directory to be parsed as perl. In that case rahul.jpeg, sasi.txt or will all be treated as a perl script. This bug could be combined with any file write vulnerability to have a code execution.

The right configuration should be Addhandler, and explicitly specifying what file extension should be treated as perl code.

AddHandler perl-script .pl

Rahul Sasi