Return-Path: 
 <dev-return-12815-apmail-perl-dev-archive=perl.apache.org@perl.apache.org>
Delivered-To: apmail-perl-dev-archive@www.apache.org
Received: (qmail 83420 invoked from network); 1 Apr 2009 17:51:59 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 1 Apr 2009 17:51:59 -0000
Received: (qmail 68796 invoked by uid 500); 1 Apr 2009 17:51:59 -0000
Delivered-To: apmail-perl-dev-archive@perl.apache.org
Received: (qmail 68778 invoked by uid 500); 1 Apr 2009 17:51:59 -0000
Mailing-List: contact dev-help@perl.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@perl.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@perl.apache.org>
List-Post: <mailto:dev@perl.apache.org>
List-Id: <dev.perl.apache.org>
Delivered-To: mailing list dev@perl.apache.org
Received: (qmail 68737 invoked by uid 99); 1 Apr 2009 17:51:58 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Apr 2009 17:51:58 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of torsten.foertsch@gmx.net
 designates 213.165.64.20 as permitted sender)
Received: from [213.165.64.20] (HELO mail.gmx.net) (213.165.64.20)
    by apache.org (qpsmtpd/0.29) with SMTP; Wed, 01 Apr 2009 17:51:49 +0000
Received: (qmail invoked by alias); 01 Apr 2009 17:51:27 -0000
Received: from p57A5B76B.dip.t-dialin.net (EHLO opi.home) [87.165.183.107]
  by mail.gmx.net (mp035) with SMTP; 01 Apr 2009 19:51:27 +0200
X-Authenticated: #1700068
X-Provags-ID: V01U2FsdGVkX1/eUHFMStnenBpjGXUYJXp/nY0ExYnoD08bZeNGyX
	5JeTLMfyVxyfqr
From: Torsten Foertsch <torsten.foertsch@gmx.net>
To: dev@perl.apache.org
Subject: Re: Security Problems ???
Date: Wed, 1 Apr 2009 18:51:41 +0100
User-Agent: KMail/1.9.10
Cc: Geoffrey Young <geoff@modperlcookbook.org>,
 "Philippe M. Chiasson" <gozer@apache.org>,
 pmc@perl.apache.org,
 security@apache.org
References: <200903211244.26892.torsten.foertsch@gmx.net>
 <200904011816.50514.torsten.foertsch@gmx.net>
 <49D396FE.7050807@modperlcookbook.org>
In-Reply-To: <49D396FE.7050807@modperlcookbook.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200904011951.42460.torsten.foertsch@gmx.net>
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.57
X-Virus-Checked: Checked by ClamAV on apache.org

On Wed 01 Apr 2009, Geoffrey Young wrote:
> Torsten Foertsch wrote:
> > On Mon 23 Mar 2009, Philippe M. Chiasson wrote:
> >>> almost a month ago there was this posting on the users list
> >>>
> >>> =A0
> >>> http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170
> >>>
> >>> stating there was a security related bug in modperl.
> >>>
> >>> Since then there were no svn updated touching the code. I'd like
> >>> to know if my servers are secure. So, where can I get more
> >>> information about the bug to perhaps help to fix it?
> >>>
> >>> Who knows more about the bug, please issue a statement if it is a
> >>> bug or not. If it is but nobody has the resources to fix it,
> >>> please let me know (privately) what it is. If I can I'll do it
> >>> then.
> >>
> >> AFAIK, the original submitter didn't follow up and explain what
> >> the potential security problem was. He was told to contact
> >> security@apache.org, but I haven't heard anything from them.
> >
> > Just FYI, the bug is a simple cross site scripting thing in
> > Apache2::Status (and probably in mp1's Apache::Status as well)
>
> just for clarification, do you know this because he contacted you
> directly? =A0or are you on security@a.o. =A0I can't see any further
> discussion of it in the archives, but I'm not on security@ so I don't
> know what goes on there.

No, I am not on security@a.o. I have seen his announce about the problem=20
on the users list on 01.03.09. That is now a month ago. 3 weeks later=20
(21.03.09) I asked here on the dev list if anybody knows anything about=20
the bug because I couldn't see any change in the code. So, it was=20
clearly not fixed yet. The original submitter answered privately that=20
it was something to do with perl_status. Further, Gozer replied that=20
either nothing has appeared on security@a.o or he was not contacted=20
about the bug by them.

Anyway, I do not think that a security bug floating around in the wild=20
for almost a month is a good thing. So, I inspected the code and found=20
that $r->uri was written unaltered to links in the output. So any=20
path_info goes there as well. Then I asked the original submitter if it=20
was this and he confirmed it.

After finding out what the problem is I asked Gozer on 23.03.09=20
privately and described the problem because of his first mail about not=20
hearing from security@a.o. In this mail I asked him:

On Mon 23 Mar 2009, Torsten Foertsch wrote:
> What will we do about it? I think we need to issue a statement: "do
> not use Apache::Status on a publicly accessible web server". I don't
> think anyone in a proper state of mind does that. But leaving a mail
> like this unanswered is not good.

But unfortunately got no answer.

I hope you understand, there is a security bug and it seems nobody cares=20
for a month!

So, in the end I fixed it, asked the original submitter if the patch=20
cures the problem, got his confirmation and went public.

I know I haven't handled the issue the best way. But I didn't know how=20
else. Nobody answered my mails, nobody did nothing. Except for the=20
submitter.

Torsten

=2D-=20
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org