[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)

On Thursday 29 March 2007 13:18, Peter Samuelson wrote:
> Do you know the scope of the DoS - does it allow the attacker to kill
> the process running the perl program, or exhaust your memory, or
> what?

I haven't tested, since I have no systems that are vulnerable, but from 
the original problem report by Alex Solovey:

If I have a PerlRun script, e.g., http://localhost/test/script, and
call it using a URL with special symbols like '(' in path_info,
PerlRun fails with server error. For example, calling
produces this error:

[Thu Mar 22 10:24:57 2007] [error] Unmatched ( in regex; marked by <--
HERE in m//( <-- HERE $/ at
/usr/local/lib/perl5/site_perl/5.8.8/mach/Apache/PerlRun.pm line 171.

So, in most cases, it is an Internal Server Error, which, AFAIK does not 
kill the process, and will only affect the requesting client. The main 
fear among members of the mod_perl list was that it would be possible 
to inject a regular expression that would take forever to return, and 
possibly exhaust memory. Now, I think it is good practice to kill 
threads that run away, so a number of best practices should guard 
against this, but I guess it is legitimate to raise a security issue 
over the possibility of inserting an arbitrary regexp in an URL.

Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA

Reply to: