https://bugzilla.redhat.com/show_bug.cgi?id=1623265 --- Comment #6 from Scott Gayou <sgayou@xxxxxxxxxx> --- Thanks for the reproduction notes ppisar. Quite easy to reproduce and gain code execution as the apache process. As a note, SELinux does technically mitigate this in that the UserDir functionality will not work without specific selinux booleans (httpd_enable_homedirs and perhaps httpd_read_user_content). However, it is unlikely that anyone would enable UserDir and not set the corresponding selinux flags as the functionality would obviously not work until the booleans are set. Seems like this flaw could impact shared hosting the most. My guess is that a good mitigation now is to disable UserDir functionality and potentially .htaccess processing via AllowOverride None. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ perl-devel mailing list -- perl-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to perl-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
