Fred Moyer
2009-04-01 21:58:12 UTC
mod_perl lists,
A specific vulnerability [CVE-2009-0795] in Apache::Status and
Apache2::Status has been discovered which may affect the security of
your mod_perl installation. Running Apache::Status on a public server
with no protection has always been a bad idea though, vulnerability or
not.
The mod_perl1 and mod_perl2 codebases have been updated to protect
against this vulnerability, but your existing server may be
vulnerable. To secure your mod_perl server from this vulnerability,
we recommend that you disallow access to Apache::Status and
Apache2::Status resources (usually located at /perl-status) from
untrusted hosts.
Q: How do I know if my installation is vulnerable?
A: If you have enabled the Apache::Status or Apache2::Status modules
in your httpd.conf, your installation may be vulnerable. See the
following links for details on what constitutes potentially vulnerable
httpd.conf directives.
http://perl.apache.org/docs/1.0/api/Apache/Status.html#Description
http://perl.apache.org/docs/2.0/api/Apache2/Status.html#Description
If you have a <Location /perl-status> directive in your httpd.conf,
your installation is likely vulnerable.
Q: What steps do I take to secure my mod_perl installation?
A: Disallow access from certain clients to your status url (example
/perl-status) in your httpd.conf file.
mod_perl1 example:
<Location /perl-status>
Order deny,allow
Deny from all
Allow from 127.0.0.1
SetHandler perl-script
PerlHandler Apache::Status
</Location>
mod_perl2 example:
<Location /perl-status>
Order deny,allow
Deny from all
Allow from 127.0.0.1
SetHandler perl-script
PerlResponseHandler Apache2::Status
</Location>
A specific vulnerability [CVE-2009-0795] in Apache::Status and
Apache2::Status has been discovered which may affect the security of
your mod_perl installation. Running Apache::Status on a public server
with no protection has always been a bad idea though, vulnerability or
not.
The mod_perl1 and mod_perl2 codebases have been updated to protect
against this vulnerability, but your existing server may be
vulnerable. To secure your mod_perl server from this vulnerability,
we recommend that you disallow access to Apache::Status and
Apache2::Status resources (usually located at /perl-status) from
untrusted hosts.
Q: How do I know if my installation is vulnerable?
A: If you have enabled the Apache::Status or Apache2::Status modules
in your httpd.conf, your installation may be vulnerable. See the
following links for details on what constitutes potentially vulnerable
httpd.conf directives.
http://perl.apache.org/docs/1.0/api/Apache/Status.html#Description
http://perl.apache.org/docs/2.0/api/Apache2/Status.html#Description
If you have a <Location /perl-status> directive in your httpd.conf,
your installation is likely vulnerable.
Q: What steps do I take to secure my mod_perl installation?
A: Disallow access from certain clients to your status url (example
/perl-status) in your httpd.conf file.
mod_perl1 example:
<Location /perl-status>
Order deny,allow
Deny from all
Allow from 127.0.0.1
SetHandler perl-script
PerlHandler Apache::Status
</Location>
mod_perl2 example:
<Location /perl-status>
Order deny,allow
Deny from all
Allow from 127.0.0.1
SetHandler perl-script
PerlResponseHandler Apache2::Status
</Location>