in reply to Apache 2 / mod_perl exploit

My opinion on this is, that mod_perl 1 shouldn't be used in a multi-user setup anyway due to the problem of a shared interpreter. Theoretically, Apache 2 promised a way around the problem of shared interpreter(s), but seemingly, there are other problems ...

I am aware of only two "safe" solutions for doing mod_perl hosting for multiple servers on one machine:

  1. The "Combust" setup (used by perl.org and develooper.com from what I know). Have one Apache 2 front act as a reverse proxy, forwarding requests to multiple Apache 1 servers running mod_perl. One Apache 1 instance per virtual host.
  2. IP-Tables setup (dreamed up by me but discarded for most likely not working and difficult to set up). Look at incoming (SYN) packets, and rewrite their port adresses depending on the virtual host as named in the Host: hostname.example.com part. This does not work for persistent connections, and does not work for very long (fragmented IP packets) requests, but might be faster, as all redirection happens on the network level.

Other compartementizing setups (and/or links to them) are welcome!

perl -MHTTP::Daemon -MHTTP::Response -MLWP::Simple -e ' ;    # The  
$d = new HTTP::Daemon and fork and getprint $d->url and exit;#spider
($c = $d->accept())->get_request(); $c->send_response( new   #in the
HTTP::Response(200,$_,$_,qq(Just another Perl hacker\n))); ' #  web

[download]

Replies are listed 'Best First'.
Re: Re: Apache 2 / mod_perl exploit
by Anonymous Monk on Jan 22, 2004 at 11:59 UTC
    1. That's a good setup even if the backend servers aren't shared.

    See Safe::World as an alternative. Safe::World may not protect against this by default.

[reply]

In Section Perl News