diff --git a/Gemfile.lock b/Gemfile.lock
index 1e32684a7..f1b2ece8f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -41,7 +41,11 @@ GEM
json (~> 1.4)
rsync (1.0.9)
semantic_puppet (0.1.3)
+ spidr (0.6.0)
+ nokogiri (~> 1.3)
thor (0.19.1)
+ wordlist (0.1.1)
+ spidr (~> 0.2)
yard (0.8.7.6)
PLATFORMS
@@ -54,7 +58,8 @@ DEPENDENCIES
puppet
rake
rdoc
+ wordlist
yard
BUNDLED WITH
- 1.11.2
+ 1.12.5
diff --git a/modules/services/unix/http/apache/manifests/params.pp b/modules/services/unix/http/apache/manifests/params.pp
index 99f1a72e8..3df4d005c 100644
--- a/modules/services/unix/http/apache/manifests/params.pp
+++ b/modules/services/unix/http/apache/manifests/params.pp
@@ -203,7 +203,7 @@ class apache::params inherits ::apache::version {
$logroot = '/var/log/apache2'
$logroot_mode = undef
$lib_path = '/usr/lib/apache2/modules'
- $mpm_module = 'worker'
+ $mpm_module = 'prefork'
$default_ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
$default_ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key'
$ssl_certs_dir = '/etc/ssl/certs'
diff --git a/modules/services/unix/http/apache/manifests/vhost.pp b/modules/services/unix/http/apache/manifests/vhost.pp
index 8b5422e5a..467fcdcf9 100644
--- a/modules/services/unix/http/apache/manifests/vhost.pp
+++ b/modules/services/unix/http/apache/manifests/vhost.pp
@@ -37,7 +37,7 @@ define apache::vhost(
$servername = $name,
$serveraliases = [],
$options = ['Indexes','FollowSymLinks','MultiViews'],
- $override = ['None'],
+ $override = ['All'],
$directoryindex = '',
$vhost_name = '*',
$logroot = $::apache::logroot,
diff --git a/modules/vulnerabilities/unix/webapp/gitlist_040/files/gitlist-0.4.0.tar.gz b/modules/vulnerabilities/unix/webapp/gitlist_040/files/gitlist-0.4.0.tar.gz
new file mode 100644
index 000000000..62acdc803
Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/gitlist_040/files/gitlist-0.4.0.tar.gz differ
diff --git a/modules/vulnerabilities/unix/webapp/gitlist_040/gitlist_040.pp b/modules/vulnerabilities/unix/webapp/gitlist_040/gitlist_040.pp
new file mode 100644
index 000000000..7c8c10c04
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlist_040/gitlist_040.pp
@@ -0,0 +1 @@
+require gitlist_040
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/configure.pp b/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/configure.pp
new file mode 100644
index 000000000..77e62e57e
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/configure.pp
@@ -0,0 +1,29 @@
+class gitlist_040::configure {
+
+ Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+ # Create /home/git/repositories
+ file { ['/home/git', '/home/git/repositories']:
+ ensure => directory,
+ owner => 'www-data',
+ }
+
+ # Cloning the secgen repo as a repo with activity is required
+ # if this adds too much time due to size we can replace with another repo later
+ exec { 'clone-secgen-repo':
+ cwd => '/home/git/repositories/',
+ command => 'git clone https://github.com/cliffe/secgen',
+ }
+
+ include ::apache
+ include ::apache::mod::rewrite
+ include ::apache::mod::php
+
+ ::apache::vhost { 'www-gitlist':
+ port => '80',
+ docroot => '/var/www/gitlist',
+ override => 'All',
+ redirect_source =>'/',
+ redirect_dest => '/gitlist/',
+ }
+}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/init.pp b/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/init.pp
new file mode 100644
index 000000000..11922fa56
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/init.pp
@@ -0,0 +1,4 @@
+class gitlist_040{
+ require gitlist_040::install
+ require gitlist_040::configure
+}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/install.pp b/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/install.pp
new file mode 100644
index 000000000..2158cfa09
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlist_040/manifests/install.pp
@@ -0,0 +1,32 @@
+class gitlist_040::install {
+
+ Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+ package { ['git', 'php5']:
+ ensure => installed,
+ }
+
+ $archive = 'gitlist-0.4.0.tar.gz'
+
+ file { "/usr/local/src/$archive":
+ ensure => file,
+ source => "puppet:///modules/gitlist_040/$archive",
+ }
+
+ exec { 'unpack-gitlist':
+ cwd => '/usr/local/src',
+ command => "tar -xzf $archive -C /var/www",
+ }
+
+ exec { 'copy-ini-file':
+ require => Exec['unpack-gitlist'],
+ command => 'cp /var/www/gitlist/config.ini-example /var/www/gitlist/config.ini',
+ }
+
+ file { '/var/www/gitlist/cache':
+ require => Exec['unpack-gitlist'],
+ ensure => directory,
+ mode => '777',
+ }
+
+}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/webapp/gitlist_040/secgen_metadata.xml b/modules/vulnerabilities/unix/webapp/gitlist_040/secgen_metadata.xml
new file mode 100644
index 000000000..7d892bc8e
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/gitlist_040/secgen_metadata.xml
@@ -0,0 +1,39 @@
+
+
+
+ Gitlist 0.4.0 RCE
+ Thomas Shaw
+ MIT
+
+ Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file
+ name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to
+ blame/master/, master/, and stats/master/.
+
+
+ webapp
+ user
+ remote
+ linux
+
+
+ low
+ CVE-2014-4511
+
+ 7.5
+ AV:N/AC:L/Au:N/C:P/I:P/A:P
+
+
+ exploit/linux/http/gitlist_exec
+ Visit the webapp in a browser at: ip:80/gitlist
+
+
+ webapp
+
+
+
+ modules/services/unix/http/apache
+
+
+
\ No newline at end of file
diff --git a/scenarios/simple_examples/gitlist_webapp_vulnerability.xml b/scenarios/simple_examples/gitlist_webapp_vulnerability.xml
new file mode 100644
index 000000000..d32aa957e
--- /dev/null
+++ b/scenarios/simple_examples/gitlist_webapp_vulnerability.xml
@@ -0,0 +1,16 @@
+
+
+
+
+
+ file_server
+
+
+
+
+
+
+
+