CVE-2011-2767
📋 TL;DR
This vulnerability in mod_perl allows attackers to execute arbitrary Perl code by placing it in a user-controlled .htaccess file. It affects Apache HTTP Server installations using mod_perl 2.0 through 2.0.10. The flaw enables unprivileged users to run code with the same permissions as the Apache process.
💻 Affected Systems
- mod_perl
- Apache HTTP Server with mod_perl
📦 What is this software?
Mod Perl by Apache
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing arbitrary code execution, data theft, privilege escalation, and complete system control.
Likely Case
Remote code execution leading to web application compromise, data exfiltration, and lateral movement within the network.
If Mitigated
Limited impact if proper file permissions prevent .htaccess uploads or mod_perl is disabled.
🎯 Exploit Status
Exploitation requires ability to upload or modify .htaccess files, which typically requires some level of access to the web server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: mod_perl 2.0.11 and later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2018:2737
Restart Required: Yes
Instructions:
1. Update mod_perl to version 2.0.11 or later. 2. For Red Hat systems: yum update mod_perl. 3. Restart Apache service: systemctl restart httpd or service httpd restart.
🔧 Temporary Workarounds
Disable .htaccess processing
allPrevent Apache from processing .htaccess files in vulnerable directories
<Directory /path/to/webroot>
AllowOverride None
</Directory>
Disable mod_perl
linuxRemove or disable mod_perl module if not required
a2dismod perl
systemctl restart apache2
🧯 If You Can't Patch
- Restrict file upload permissions to prevent .htaccess file creation
- Implement strict file system monitoring for .htaccess modifications
🔍 How to Verify
Check if Vulnerable:
Check mod_perl version: perl -Mmod_perl2 -e 'print $mod_perl2::VERSION'Check Version:
perl -Mmod_perl2 -e 'print $mod_perl2::VERSION'Verify Fix Applied:
Verify mod_perl version is 2.0.11 or higher using the same command📡 Detection & Monitoring
Log Indicators:
- Unexpected .htaccess file modifications
- Suspicious Perl code execution in Apache logs
- Unauthorized file upload attempts
Network Indicators:
- Unusual outbound connections from web server
- Suspicious HTTP requests containing Perl code
SIEM Query:
source="apache_access.log" AND ("PUT" OR "POST") AND ".htaccess"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html
- http://www.securityfocus.com/bid/105195
- https://access.redhat.com/errata/RHSA-2018:2737
- https://access.redhat.com/errata/RHSA-2018:2825
- https://access.redhat.com/errata/RHSA-2018:2826
- https://bugs.debian.org/644169
- https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html
- https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E
- https://usn.ubuntu.com/3825-1/
- https://usn.ubuntu.com/3825-2/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00063.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00065.html
- http://www.securityfocus.com/bid/105195
- https://access.redhat.com/errata/RHSA-2018:2737
- https://access.redhat.com/errata/RHSA-2018:2825
- https://access.redhat.com/errata/RHSA-2018:2826
- https://bugs.debian.org/644169
- https://lists.apache.org/thread.html/c8ebe8aad147a3ad2e7b0e8b2da45263171ab5d0fc7f8c100feaa94d%40%3Cmodperl-cvs.perl.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/09/msg00018.html
- https://mail-archives.apache.org/mod_mbox/perl-modperl/201110.mbox/raw/%3C20111004084343.GA21290%40ktnx.net%3E
- https://usn.ubuntu.com/3825-1/
- https://usn.ubuntu.com/3825-2/
