Re: Security Problems ???

[Torsten Foertsch <to...@gmx.net>]

On Mon 23 Mar 2009, Philippe M. Chiasson wrote:
> > almost a month ago there was this posting on the users list
> >
> >   http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170
> >
> > stating there was a security related bug in modperl.
> >
> > Since then there were no svn updated touching the code. I'd like to
> > know if my servers are secure. So, where can I get more information
> > about the bug to perhaps help to fix it?
> >
> > Who knows more about the bug, please issue a statement if it is a
> > bug or not. If it is but nobody has the resources to fix it, please
> > let me know (privately) what it is. If I can I'll do it then.
>
> AFAIK, the original submitter didn't follow up and explain what the
> potential security problem was. He was told to contact
> security@apache.org, but I haven't heard anything from them.

Just FYI, the bug is a simple cross site scripting thing in 
Apache2::Status (and probably in mp1's Apache::Status as well)

The mp2 stuff is fixed by the enclosed patch as the original submitter 
has confirmed. I have committed it as revision 760926.

MP1 people, please check Apache::Status.

Apache2::Status users, please test.

Torsten

-- 
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net

Re: Security Problems ???

[Torsten Foertsch <to...@gmx.net>]

On Wed 01 Apr 2009, Perrin Harkins wrote:
> On Wed, Apr 1, 2009 at 1:51 PM, Torsten Foertsch
>
> <to...@gmx.net> wrote:
> > I hope you understand, there is a security bug and it seems nobody
> > cares for a month!
>
> Try not to take it personally, Torsten.  Sometimes people claim to
> have a security bug, but later find it's not really a bug and then
> don't want to embarrass themselves by saying so.  I don't think we
> make it very hard for people to report security bugs.

No offense taken, I just wanted to explain the situation.

Torsten

-- 
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org

Re: Security Problems ???

[Perrin Harkins <pe...@elem.com>]

On Wed, Apr 1, 2009 at 1:51 PM, Torsten Foertsch
<to...@gmx.net> wrote:
> I hope you understand, there is a security bug and it seems nobody cares
> for a month!

Try not to take it personally, Torsten.  Sometimes people claim to
have a security bug, but later find it's not really a bug and then
don't want to embarrass themselves by saying so.  I don't think we
make it very hard for people to report security bugs.

- Perrin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org

Re: Security Problems ???

[Torsten Foertsch <to...@gmx.net>]

On Wed 01 Apr 2009, Geoffrey Young wrote:
> Torsten Foertsch wrote:
> > On Mon 23 Mar 2009, Philippe M. Chiasson wrote:
> >>> almost a month ago there was this posting on the users list
> >>>
> >>>  
> >>> http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170
> >>>
> >>> stating there was a security related bug in modperl.
> >>>
> >>> Since then there were no svn updated touching the code. I'd like
> >>> to know if my servers are secure. So, where can I get more
> >>> information about the bug to perhaps help to fix it?
> >>>
> >>> Who knows more about the bug, please issue a statement if it is a
> >>> bug or not. If it is but nobody has the resources to fix it,
> >>> please let me know (privately) what it is. If I can I'll do it
> >>> then.
> >>
> >> AFAIK, the original submitter didn't follow up and explain what
> >> the potential security problem was. He was told to contact
> >> security@apache.org, but I haven't heard anything from them.
> >
> > Just FYI, the bug is a simple cross site scripting thing in
> > Apache2::Status (and probably in mp1's Apache::Status as well)
>
> just for clarification, do you know this because he contacted you
> directly?  or are you on security@a.o.  I can't see any further
> discussion of it in the archives, but I'm not on security@ so I don't
> know what goes on there.

No, I am not on security@a.o. I have seen his announce about the problem 
on the users list on 01.03.09. That is now a month ago. 3 weeks later 
(21.03.09) I asked here on the dev list if anybody knows anything about 
the bug because I couldn't see any change in the code. So, it was 
clearly not fixed yet. The original submitter answered privately that 
it was something to do with perl_status. Further, Gozer replied that 
either nothing has appeared on security@a.o or he was not contacted 
about the bug by them.

Anyway, I do not think that a security bug floating around in the wild 
for almost a month is a good thing. So, I inspected the code and found 
that $r->uri was written unaltered to links in the output. So any 
path_info goes there as well. Then I asked the original submitter if it 
was this and he confirmed it.

After finding out what the problem is I asked Gozer on 23.03.09 
privately and described the problem because of his first mail about not 
hearing from security@a.o. In this mail I asked him:

On Mon 23 Mar 2009, Torsten Foertsch wrote:
> What will we do about it? I think we need to issue a statement: "do
> not use Apache::Status on a publicly accessible web server". I don't
> think anyone in a proper state of mind does that. But leaving a mail
> like this unanswered is not good.

But unfortunately got no answer.

I hope you understand, there is a security bug and it seems nobody cares 
for a month!

So, in the end I fixed it, asked the original submitter if the patch 
cures the problem, got his confirmation and went public.

I know I haven't handled the issue the best way. But I didn't know how 
else. Nobody answered my mails, nobody did nothing. Except for the 
submitter.

Torsten

-- 
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org

Re: Security Problems ???

[Geoffrey Young <ge...@modperlcookbook.org>]

Torsten Foertsch wrote:
> On Mon 23 Mar 2009, Philippe M. Chiasson wrote:
>>> almost a month ago there was this posting on the users list
>>>
>>>   http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170
>>>
>>> stating there was a security related bug in modperl.
>>>
>>> Since then there were no svn updated touching the code. I'd like to
>>> know if my servers are secure. So, where can I get more information
>>> about the bug to perhaps help to fix it?
>>>
>>> Who knows more about the bug, please issue a statement if it is a
>>> bug or not. If it is but nobody has the resources to fix it, please
>>> let me know (privately) what it is. If I can I'll do it then.
>> AFAIK, the original submitter didn't follow up and explain what the
>> potential security problem was. He was told to contact
>> security@apache.org, but I haven't heard anything from them.
> 
> Just FYI, the bug is a simple cross site scripting thing in 
> Apache2::Status (and probably in mp1's Apache::Status as well)

just for clarification, do you know this because he contacted you
directly?  or are you on security@a.o.  I can't see any further
discussion of it in the archives, but I'm not on security@ so I don't
know what goes on there.

> 
> The mp2 stuff is fixed by the enclosed patch as the original submitter 
> has confirmed. I have committed it as revision 760926.

I guess it's not your fault, but I wish this had been attended to a bit
differently.

security@a.o exists for a reason.  when a security concern is raised
they (not us as individuals) are the "private channel."  the path ought
to be discussion between the reporter and security@, followed by
discussion by the pmc on how to best integrate any fix into our release
cycle.  security@ *just* brought the pmc into things this morning, so
that's where we *ought* to be at this moment in time...

bringing the vulnerability into the open with a patch that addresses
half our codebase isn't serving our users well.

anyway, we seem to go through this security exercise every few years, so
it's not unforgivable that things weren't handed in an ideal manner (we
have so few security bugs, thankfully :)  but if you hadn't committed
the patch then we wouldn't be telling the world about the vulnerability
 before we had started (or finished) a release cycle.

--Geoff

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org