apache/mod_perl: The latest CVE Vulnerabilities and Exploits for Penetration Test
apache/mod_perl Vulnerability Summary
- Vendor name: apache
- Product name: mod_perl
- Total vulnerabilities: 3 (as 2023-05-04)
apache/mod_perl Vulnerability List
CVE-2011-2767: mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a…
Published: 2018-08-26T16:29:00 Last Modified: 2019-09-24T18:15:00
Summary
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator’s control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
Common Weakness Enumeration (CWE): CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CWE Description: The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Scores
- Impact Score: 10.0
- Exploitability Score: 10.0
- CVSS: 10.0
- CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Impact
- Availability: COMPLETE
- Confidentiality: COMPLETE
- Integrity: COMPLETE
Access
- Authentication: NONE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2011-2767 vulnerability.
References
- https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E
- https://bugs.debian.org/644169
- https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html
- https://access.redhat.com/errata/RHSA-2018:2737
- https://access.redhat.com/errata/RHSA-2018:2826
- https://access.redhat.com/errata/RHSA-2018:2825
- http://www.securityfocus.com/bid/105195
- https://usn.ubuntu.com/3825-1/
- https://usn.ubuntu.com/3825-2/
- https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d@%3Cmodperl-cvs.perl.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html
See also: All popular products CVE Vulnerabilities of apache
CVE-2009-0796: Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in…
Published: 2009-04-07T23:30:00 Last Modified: 2018-10-10T19:31:00
Summary
Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP Server, when /perl-status is accessible, allows remote attackers to inject arbitrary web script or HTML via the URI.
Common Weakness Enumeration (CWE): CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Scores
- Impact Score: 2.9
- Exploitability Score: 4.9
- CVSS: 2.6
- CVSS Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N
Impact
- Availability: NONE
- Confidentiality: NONE
- Integrity: PARTIAL
Access
- Authentication: NONE
- Complexity: HIGH
- Vector: NETWORK
Exploits Database (Total Exploits Count: 1)
Code designed for conducting penetration testing on CVE-2009-0796 vulnerability.
References
- http://www.gossamer-threads.com/lists/modperl/modperl/99475#99475
- http://svn.apache.org/viewvc/perl/modperl/branches/1.x/lib/Apache/Status.pm?r1=177851&r2=761081&pathrev=761081&diff_format=h
- http://www.gossamer-threads.com/lists/modperl/modperl-cvs/99477#99477
- https://bugzilla.redhat.com/show_bug.cgi?id=494402
- http://svn.apache.org/viewvc?view=rev&revision=761081
- https://launchpad.net/bugs/cve/2009-0796
- http://www.vupen.com/english/advisories/2009/0943
- http://www.securitytracker.com/id?1021988
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:091
- http://secunia.com/advisories/34597
- http://www.securityfocus.com/bid/34383
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021508.1-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021709.1-1
- http://support.apple.com/kb/HT4435
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8488
- http://www.securityfocus.com/archive/1/502709/100/0/threaded
See also: All popular products CVE Vulnerabilities of apache
CVE-2007-1349: PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not…
Published: 2007-03-30T00:19:00 Last Modified: 2022-02-03T16:26:00
Summary
PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.
Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation
CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Scores
- Impact Score: 2.9
- Exploitability Score: 10.0
- CVSS: 5.0
- CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Impact
- Availability: PARTIAL
- Confidentiality: NONE
- Integrity: NONE
Access
- Authentication: NONE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2007-1349 vulnerability.
References
- http://www.gossamer-threads.com/lists/modperl/modperl/92739
- http://svn.apache.org/repos/asf/perl/modperl/branches/1.x/Changes
- http://secunia.com/advisories/24678
- http://www.securityfocus.com/bid/23192
- http://secunia.com/advisories/24839
- http://www.novell.com/linux/security/advisories/2007_8_sr.html
- http://security.gentoo.org/glsa/glsa-200705-04.xml
- http://secunia.com/advisories/25110
- http://secunia.com/advisories/25072
- http://support.avaya.com/elmodocs2/security/ASA-2007-293.htm
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:083
- http://rhn.redhat.com/errata/RHSA-2007-0395.html
- http://www.redhat.com/support/errata/RHSA-2007-0486.html
- http://www.redhat.com/support/errata/RHSA-2007-0396.html
- ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
- http://www.novell.com/linux/security/advisories/2007_12_sr.html
- http://www.trustix.org/errata/2007/0023/
- http://www.ubuntu.com/usn/usn-488-1
- http://www.securitytracker.com/id?1018259
- http://secunia.com/advisories/25432
- http://secunia.com/advisories/25655
- http://secunia.com/advisories/25730
- http://secunia.com/advisories/25894
- http://secunia.com/advisories/26084
- http://secunia.com/advisories/26231
- http://secunia.com/advisories/26290
- http://www.redhat.com/support/errata/RHSA-2008-0261.html
- http://rhn.redhat.com/errata/RHSA-2008-0630.html
- http://secunia.com/advisories/31493
- http://www.redhat.com/support/errata/RHSA-2008-0627.html
- http://secunia.com/advisories/31490
- http://secunia.com/advisories/33723
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-248386-1
- http://secunia.com/advisories/33720
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021508.1-1
- http://www.vupen.com/english/advisories/2007/1150
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33312
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8349
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10987
See also: All popular products CVE Vulnerabilities of apache