perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Foertsch <torsten.foert...@gmx.net>
Subject Re: Security Problems ???
Date Wed, 01 Apr 2009 17:51:41 GMT
On Wed 01 Apr 2009, Geoffrey Young wrote:
> Torsten Foertsch wrote:
> > On Mon 23 Mar 2009, Philippe M. Chiasson wrote:
> >>> almost a month ago there was this posting on the users list
> >>>
> >>>  
> >>> http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170
> >>>
> >>> stating there was a security related bug in modperl.
> >>>
> >>> Since then there were no svn updated touching the code. I'd like
> >>> to know if my servers are secure. So, where can I get more
> >>> information about the bug to perhaps help to fix it?
> >>>
> >>> Who knows more about the bug, please issue a statement if it is a
> >>> bug or not. If it is but nobody has the resources to fix it,
> >>> please let me know (privately) what it is. If I can I'll do it
> >>> then.
> >>
> >> AFAIK, the original submitter didn't follow up and explain what
> >> the potential security problem was. He was told to contact
> >> security@apache.org, but I haven't heard anything from them.
> >
> > Just FYI, the bug is a simple cross site scripting thing in
> > Apache2::Status (and probably in mp1's Apache::Status as well)
>
> just for clarification, do you know this because he contacted you
> directly?  or are you on security@a.o.  I can't see any further
> discussion of it in the archives, but I'm not on security@ so I don't
> know what goes on there.

No, I am not on security@a.o. I have seen his announce about the problem 
on the users list on 01.03.09. That is now a month ago. 3 weeks later 
(21.03.09) I asked here on the dev list if anybody knows anything about 
the bug because I couldn't see any change in the code. So, it was 
clearly not fixed yet. The original submitter answered privately that 
it was something to do with perl_status. Further, Gozer replied that 
either nothing has appeared on security@a.o or he was not contacted 
about the bug by them.

Anyway, I do not think that a security bug floating around in the wild 
for almost a month is a good thing. So, I inspected the code and found 
that $r->uri was written unaltered to links in the output. So any 
path_info goes there as well. Then I asked the original submitter if it 
was this and he confirmed it.

After finding out what the problem is I asked Gozer on 23.03.09 
privately and described the problem because of his first mail about not 
hearing from security@a.o. In this mail I asked him:

On Mon 23 Mar 2009, Torsten Foertsch wrote:
> What will we do about it? I think we need to issue a statement: "do
> not use Apache::Status on a publicly accessible web server". I don't
> think anyone in a proper state of mind does that. But leaving a mail
> like this unanswered is not good.

But unfortunately got no answer.

I hope you understand, there is a security bug and it seems nobody cares 
for a month!

So, in the end I fixed it, asked the original submitter if the patch 
cures the problem, got his confirmation and went public.

I know I haven't handled the issue the best way. But I didn't know how 
else. Nobody answered my mails, nobody did nothing. Except for the 
submitter.

Torsten

-- 
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org


Mime
View raw message