[2947] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (mol@ecmwf.int)
Mon Sep 16 22:20:01 1996
From: mol@ecmwf.int
To: jordi@webarna.com
Date: Tue, 17 Sep 1996 01:43:00 +0100 (BST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <323DD2B8.4EAC@webarna.com> from "Jordi \"=?iso-8859-1?Q?Matem=E0tic?=\" Salvat" at Sep 16, 96 10:20:45 pm
Errors-To: owner-www-security@ns2.rutgers.edu
In a previous mail , Jordi Salvat wrote :
>
> Many Spanish ISPs are receiving attack attempts on their WWW servers...
> they detect them on their log files in entries such as:
>
> info26.jet.es - - [04/Sep/1996:03:17:21 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/ HTTP/1.0" 404 -
>
> Does anyone know what this 'phf' cgi-bin is supposed to be?
>
> Thanks for your help.
> --
> Jordi Salvat i Alabart
> Web Edicions Barcelona
> edicions i consultoria Internet
> http://www.webarna.com
>
I presume this is the phf program part of the NCSA distribution
of CGI example programs:
ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/cgi/cgi-src/phf.c
You may want to read Q33 of the www-security-faq:
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
(Mirrors of the www-security-faq at:
http://cip.physik.uni-wuerzburg.de/www-security/
http://sz.yy.co.cn/~zhao/WWW/faq/www-security-faq.html
http://www.usma.edu/mirror/WWW/www-security-faq
http://nswt.tuwien.ac.at:8000/www-security-faq/
http://www3.uniovi.es/~rivero/mirror/www-security-faq/
)
Excerpt from the above:
| Q33: What CGI scripts are known to contain security holes?
|
| Quite a number of widely distributed CGI scripts contain known
| security holes. All the ones that are identified here have
| since been caught and fixed, but if you are running an older
| version of the script you may still be vulnerable.
| Get rid of it and obtain the latest version.
|
| --- text deleted ---
|
| "phf" phone book script, distributed with NCSA httpd and Apache
| http://hoohoo.ncsa.uiuc.edu/
|
| The holes in the first two of these scripts were discovered
| by Paul Phillips (paulp@cerf.net), who also wrote the
| CGI security FAQ. The hole in the PHF (phone book) script
| was discovered by Jennifer Myers
| (jmyers@marigold.eecs.nwu.edu), and is representative of a
| potential security hole in all CGI script that use
| NCSA's util.c library. Here's a patch to fix the problem in util.c.
|
End of excerpt
The two pointers in the above excerpt are:
CGI security FAQ by Paul Phillips:
http://www.primus.com/staff/paulp/cgi-security/
(this last links appears to be broken when writing this mail)
patch for util.c:
http://cip.physik.uni-wuerzburg.de/www-security/wwwsf8.html#util.c
Hopes this helps.
--
Philippe Parmentier E-mail : P.Parmentier@ecmwf.int
Snail : ECMWF, Shinfield Park, Reading, Berkshire RG2 9AX, U.K.
