Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
On Thursday 29 March 2007 13:18, Peter Samuelson wrote:
> Do you know the scope of the DoS - does it allow the attacker to kill
> the process running the perl program, or exhaust your memory, or
> what?
I haven't tested, since I have no systems that are vulnerable, but from
the original problem report by Alex Solovey:
If I have a PerlRun script, e.g., http://localhost/test/script, and
call it using a URL with special symbols like '(' in path_info,
PerlRun fails with server error. For example, calling
http://localhost/test/script/(
produces this error:
[Thu Mar 22 10:24:57 2007] [error] Unmatched ( in regex; marked by <--
HERE in m//( <-- HERE $/ at
/usr/local/lib/perl5/site_perl/5.8.8/mach/Apache/PerlRun.pm line 171.
So, in most cases, it is an Internal Server Error, which, AFAIK does not
kill the process, and will only affect the requesting client. The main
fear among members of the mod_perl list was that it would be possible
to inject a regular expression that would take forever to return, and
possibly exhaust memory. Now, I think it is good practice to kill
threads that run away, so a number of best practices should guard
against this, but I guess it is legitimate to raise a security issue
over the possibility of inserting an arbitrary regexp in an URL.
Kjetil
--
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA
Reply to: