Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 5694 - mod_perl config leaves main script dir indexable
Summary: mod_perl config leaves main script dir indexable
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: x86 Linux
: High minor (vote)
Assignee: Gentoo Perl team
Keywords: SECURITY
Depends on:
Reported: 2002-07-28 16:05 UTC by Mikael Hedberg
Modified: 2003-12-17 13:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mikael Hedberg 2002-07-28 16:05:11 UTC
Due to faulty configuration as done by mod_perl's ebuild while doing config, the
standard configuration leaves the main script directory /perl (and optionally,
/cgi-perl) indexable. This is a minor security flaw.

The error does not affect users' mod_perl script directories, only the system one.

The section of apache's commonapache.conf that are faulty are:
<Location /perl/*.pl>
#<Location /cgi-perl/*.pl>

Removing the "/*.pl" ending on those two rows resolves the issue.

Since I have no experience with ebuilds, I can't send any fixed ebuild. My
mod_perl package is now version 1.27, but i'm unsure if it's been upgraded since
I did the ebuild config. In that case it's been upgraded only once.
Comment 1 Nicholas Jones (RETIRED) gentoo-dev 2002-07-31 04:55:04 UTC
Can you do a test for me? Add the /*.pl back (as that was to register the 
extention) and add this section before the perl module configs:

<Location /perl>
  Options -Indexes

Lemme know the results.
Comment 2 Mikael Hedberg 2002-08-10 06:36:10 UTC
Sorry for the delay, been on a vacation.

That works... I've now tested a section like this:

    <Location /cgi-perl>
      Options -Indexes

    #set Apache::PerlRun Mode for /cgi-perl Alias
    <Location /cgi-perl/*.pl>
        SetHandler perl-script
        PerlHandler Apache::PerlRun
        Options ExecCGI

(all inside the <IfModule> section), which seems to work. I can't get an index
listing, and the scripts still execute. The same should work for the /perl
section, though I haven't tested it.

*Important note*: I still consider this bad security practice, since it leaves
some files readable. AFAIK the recommended option is to use the /perl and
/cgi-perl directory matches. Consider the following:

script uses module

loading will run the script as expected. Loading, will
give the source of that document, however - not a good thing. Using <Location
/perl> (or similar) will run the module however, which does nothing but load the
module, return true, and the browser will most probably show some error like
"The document contains no data" (Mozilla does). If an attacker can guess the
name of a module used or somehow obtain this information, that'd give a platform
for attack.

This is an even more minor issue than the original one, but is there a good
reason to only allow .pl files as scripts in /perl?
Comment 3 Robert Coie (RETIRED) gentoo-dev 2003-12-17 13:46:26 UTC
This appears to be fixed in commonapache.conf.