Apache mod_perl: Denial of service

Apache mod_perl: Denial of service The mod_perl Apache module is vulnerable to a Denial of Service when processing regular expressions. mod_perl 2007-05-02 2007-05-02 172676 remote 2.0.3-r1 1.30 2.0.3-r1

Mod_perl is an Apache module that embeds the Perl interpreter within the server, allowing Perl-based web-applications to be created.

Alex Solvey discovered that the "path_info" variable used in file RegistryCooker.pm (mod_perl 2.x) or file PerlRun.pm (mod_perl 1.x), is not properly escaped before being processed.

A remote attacker could send a specially crafted URL to the vulnerable server, possibly resulting in a massive resource consumption.

There is no known workaround at this time.

All mod_perl 1.x users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apache/mod_perl-1.30"

All mod_perl 2.x users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apache/mod_perl-2.0.3-r1"

CVE-2007-1349 falco vorlon p-y