Common perl exploit in shared hosts.

[NewEraCracker]

Have you disabled cgi for your users?
But you can still execute perl scripts.

Are you amazed?
I am not.

This is a common .htaccess exploit

Have fun with this:
.htaccess

Code: 

Options +ExecCGI
<FilesMatch \.pl$>
SetHandler cgi-script
</FilesMatch>

test.pl - Windows version

Code: 

#!c:/perl/bin/perl.exe
##
##  printenv -- demo CGI program which just prints its environment
##

print "Content-type: text/plain; charset=iso-8859-1\n\n";
foreach $var (sort(keys(%ENV))) {
    $val = $ENV{$var};
    $val =~ s|\n|\\n|g;
    $val =~ s|"|\\"|g;
    print "${var}=\"${val}\"\n";
}

test.pl - Linux version

Code: 

#!/usr/bin/perl
##
##  printenv -- demo CGI program which just prints its environment
##

print "Content-type: text/plain; charset=iso-8859-1\n\n";
foreach $var (sort(keys(%ENV))) {
    $val = $ENV{$var};
    $val =~ s|\n|\\n|g;
    $val =~ s|"|\\"|g;
    print "${var}=\"${val}\"\n";
}

And this how to fix (Apache configuration for the directory):

Code: 

Options Indexes FollowSymLinks
AllowOverride All Options=IncludesNOEXEC Options=Indexes Options=FollowSymLinks

Update, changing Options may cause 500 errors, changing AllowOverride should still do some lower protection

Thanks to CVE-2009-1195 for the idea.

For details about the configurations see:
https://httpd.apache.org/docs/curren...#allowoverride
https://httpd.apache.org/docs/curren...e.html#options

Be aware this thread was edited with better configuration to avoid 500 errors with legitimate .htaccess edits.

If you face any errors with a certain .htaccess that you think being legitimate, reply here. Thanks.

NewEraCracker Reviewed by NewEraCracker on 26th Aug 2011. Common perl exploit in shared hosts. Have you disabled cgi for your users? But you can still execute perl scripts. Are you amazed? I am not. This is a common .htaccess exploit Have fun with this: .htaccess Rating: 5

[XSLTel]

Hello NEC,

I guess this Idea won't work on shared servers with fcgid/suphp handler.

it will work on server with mod_php only. since Options +ExecCGI is needed by fcgid/suphp to run php scripts.

I've tried it and all php scripts start to throw 500 error, I'm using fcgid

Highest Regards
Mohammed H

[Loonycgb2]

This has been known for years.. But its not so bad because its not like a user can get root access..

Most have let the idea go..

Best way to disable it is to run a command every hour that chmods all perl files on a shared host to 0000

or else edit your cgi excutable so they are disabled

[NewEraCracker]

Can you tell me the value of "Options" in your server?
That shouldn't be related with AllowOverride as it only controls the options that can be set in .htaccess

Also,
I'd advise people running shared hosts to use SuPHP and SuExec. That way things are executed in own user account.