Jan Ingvoldstad

**Name of the Vulnerable Software and Affected Versions** mod perl versions 2.0 through 2.0.10 **Description** The issue allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file. This is possible because there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes. The vulnerability is related to code injection in the .htaccess file, which can be exploited by a remote attacker to execute arbitrary Perl code under the context of the user account running Apache HTTP Server processes. **Recommendations** For mod perl versions 2.0 through 2.0.10, consider disabling the execution of Perl code in .htaccess files until a patch is available. Restrict access to the .htaccess file to minimize the risk of exploitation. Avoid using Perl code in .htaccess files for HTTP request processing until the issue is resolved.