Latest Announcemnent
New thread

Common perl exploit in shared hosts.

Status
Not open for further replies.
NewEraCracker

NewEraCracker

Active Member
1,335
2010
203
10
Have you disabled cgi for your users?
But you can still execute perl scripts.

Are you amazed?
I am not.

This is a common .htaccess exploit

Have fun with this:
.htaccess
Code: 
Options +ExecCGI
<FilesMatch \.pl$>
SetHandler cgi-script
</FilesMatch>

test.pl - Windows version
Code: 
#!c:/perl/bin/perl.exe
##
##  printenv -- demo CGI program which just prints its environment
##

print "Content-type: text/plain; charset=iso-8859-1\n\n";
foreach $var (sort(keys(%ENV))) {
    $val = $ENV{$var};
    $val =~ s|\n|\\n|g;
    $val =~ s|"|\\"|g;
    print "${var}=\"${val}\"\n";
}

test.pl - Linux version
Code: 
#!/usr/bin/perl
##
##  printenv -- demo CGI program which just prints its environment
##

print "Content-type: text/plain; charset=iso-8859-1\n\n";
foreach $var (sort(keys(%ENV))) {
    $val = $ENV{$var};
    $val =~ s|\n|\\n|g;
    $val =~ s|"|\\"|g;
    print "${var}=\"${val}\"\n";
}

And this how to fix (Apache configuration for the directory):
Code: 
Options Indexes FollowSymLinks
AllowOverride All Options=IncludesNOEXEC Options=Indexes Options=FollowSymLinks
Update, changing Options may cause 500 errors, changing AllowOverride should still do some lower protection

Thanks to CVE-2009-1195 for the idea.

For details about the configurations see:
https://httpd.apache.org/docs/current/mod/core.html#allowoverride
https://httpd.apache.org/docs/current/mod/core.html#options

Be aware this thread was edited with better configuration to avoid 500 errors with legitimate .htaccess edits.

If you face any errors with a certain .htaccess that you think being legitimate, reply here. Thanks.
 
Last edited:
3 comments
Hello NEC,

I guess this Idea won't work on shared servers with fcgid/suphp handler.

it will work on server with mod_php only. since Options +ExecCGI is needed by fcgid/suphp to run php scripts.

I've tried it and all php scripts start to throw 500 error, I'm using fcgid

Highest Regards
Mohammed H
 
This has been known for years.. But its not so bad because its not like a user can get root access..

Most have let the idea go..

Best way to disable it is to run a command every hour that chmods all perl files on a shared host to 0000

or else edit your cgi excutable so they are disabled
 
Can you tell me the value of "Options" in your server?
That shouldn't be related with AllowOverride as it only controls the options that can be set in .htaccess

Also,
I'd advise people running shared hosts to use SuPHP and SuExec. That way things are executed in own user account.
 
Last edited:
Status
Not open for further replies.
Back
Top