torsten.foertsch at gmx
Apr 1, 2009, 10:51 AM
Post #5 of 7
(2000 views)
Permalink
|
On Wed 01 Apr 2009, Geoffrey Young wrote:
> Torsten Foertsch wrote:
> > On Mon 23 Mar 2009, Philippe M. Chiasson wrote:
> >>> almost a month ago there was this posting on the users list
> >>>
> >>>
> >>> http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170
> >>>
> >>> stating there was a security related bug in modperl.
> >>>
> >>> Since then there were no svn updated touching the code. I'd like
> >>> to know if my servers are secure. So, where can I get more
> >>> information about the bug to perhaps help to fix it?
> >>>
> >>> Who knows more about the bug, please issue a statement if it is a
> >>> bug or not. If it is but nobody has the resources to fix it,
> >>> please let me know (privately) what it is. If I can I'll do it
> >>> then.
> >>
> >> AFAIK, the original submitter didn't follow up and explain what
> >> the potential security problem was. He was told to contact
> >> security [at] apache, but I haven't heard anything from them.
> >
> > Just FYI, the bug is a simple cross site scripting thing in
> > Apache2::Status (and probably in mp1's Apache::Status as well)
>
> just for clarification, do you know this because he contacted you
> directly? or are you on security [at] a I can't see any further
> discussion of it in the archives, but I'm not on security@ so I don't
> know what goes on there.
No, I am not on security [at] a I have seen his announce about the problem
on the users list on 01.03.09. That is now a month ago. 3 weeks later
(21.03.09) I asked here on the dev list if anybody knows anything about
the bug because I couldn't see any change in the code. So, it was
clearly not fixed yet. The original submitter answered privately that
it was something to do with perl_status. Further, Gozer replied that
either nothing has appeared on security [at] a or he was not contacted
about the bug by them.
Anyway, I do not think that a security bug floating around in the wild
for almost a month is a good thing. So, I inspected the code and found
that $r->uri was written unaltered to links in the output. So any
path_info goes there as well. Then I asked the original submitter if it
was this and he confirmed it.
After finding out what the problem is I asked Gozer on 23.03.09
privately and described the problem because of his first mail about not
hearing from security [at] a In this mail I asked him:
On Mon 23 Mar 2009, Torsten Foertsch wrote:
> What will we do about it? I think we need to issue a statement: "do
> not use Apache::Status on a publicly accessible web server". I don't
> think anyone in a proper state of mind does that. But leaving a mail
> like this unanswered is not good.
But unfortunately got no answer.
I hope you understand, there is a security bug and it seems nobody cares
for a month!
So, in the end I fixed it, asked the original submitter if the patch
cures the problem, got his confirmation and went public.
I know I haven't handled the issue the best way. But I didn't know how
else. Nobody answered my mails, nobody did nothing. Except for the
submitter.
Torsten
--
Need professional mod_perl support?
Just hire me: torsten.foertsch [at] gmx
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe [at] perl
For additional commands, e-mail: dev-help [at] perl
|
signature.asc
Apache2::Status.patch
