<<< Date Index >>>     <<< Thread Index >>>

Re: Hijacking Apache 2 via mod_perl



Steve Grubb wrote:
Product:         mod_perl
Versions:        1.99_09 / apache 2.0.47
URL:             http://perl.apache.org
Impact:          Daemon Hijacking
Bug class:       Leaked Descriptor
Vendor notified: Yes
Fix available:   No
Date:            01/21/04
Issue:
======
Mod_perl under apache 2.0.x leaks critical file descriptors that can be used to 
takeover (hijack) the http and https services.

This is not a leak - mod_perl is a module that is compiled into Apache, and hence has access to all its resources (including memory). If you want to run untrusted Perl, then don't use mod_perl.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff