WWW::Mechanize::Cached Local Response Forgery and Code Execution Vulnerability

A vulnerability in WWW::Mechanize::Cached versions prior to 2.00 for Perl allows local response forgery and code execution by deserializing cached HTTP responses from a world-writable on-disk cache. The default cache backend, Cache::FileCache, creates a cache under /tmp/FileCache' with a directory umask of 000, resulting in a 0777 permission mode. This vulnerability enables a local attacker with write access to the cache to replace a victim's cached response with a malicious one, which, when accessed, could execute arbitrary code if the response is processed by a class with a side-effectful deserialization hook.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of cached HTTP responses and execution of arbitrary code in the context of the victim's process.

Reproduction

To reproduce this vulnerability, first ensure that WWW::Mechanize::Cached is installed and a version prior to 2.00 is being used. Then, write a malicious HTTP response blob to the cache directory, which can be done by replacing a cache entry for a known URL. When the victim's process retrieves the URL, the cached response will be deserialized, executing any embedded code. This can be automated with a script that uses WWW::Mechanize::Cached to manipulate the cache.

Remediation

Users should upgrade to WWW::Mechanize::Cached version 2.00 or later, which changes the default cache location to the user's XDG cache home with owner-only permissions.