[2951] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Simon Juden)
Tue Sep 17 10:11:47 1996
Date: Tue, 17 Sep 96 13:23:28 BST
From: Simon Juden <simon@satobsys.co.uk>
To: www-security@ns2.rutgers.edu
In-Reply-To: <323DD2B8.4EAC@webarna.com> (jordi@webarna.com)
Reply-To: simon@satobsys.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Hmmm - phf seems part of standard setup, yet I've no idea what it
does. Here's the result of "strings phf" - rather bizarre...
------------------------------------------------------------------------------
Qalias
Alias
Qname
Name
Qemail
€E-mail Address
Qnickname
xNickname
Qoffice_phone
<Office Phone Number
Qcallsign
HAM Callsign
Qproxy
@Proxy
Qhigh_school
High School
Qslip
SLIP Address
Qcurriculum
@Curriculum
Qphone
@Phone Number
Qaddress
€Address
Qoffice_address
€Office Address
Qhome_address
€Home Address
Qpermanent_address
€Permanent Address
Qpermanent_phone
<Permanent Phone
Qdepartment
@Department
Qtitle
@Title
Qproject
Project
Qother
Other
Qbirthday
Birthday
Qcolleges
xColleges Attended
Qleft_uiuc
Date/Month Person left UIUC
------------------------------------------------------------------------------
and here's the result of just running "phf" (from sh)
Content-type: text/html
<TITLE>Form for CSO PH query</TITLE>
<H1>Form for CSO PH query</H1>
This form will send a PH query to the specified ph server.
<P>
<HR>
<FORM ACTION="http://(null):(null)(null)">
PH Server:<INPUT TYPE="text" NAME="Jserver" VALUE="ns.uiuc.edu" MAXLENGTH="256">
<P>
<H3>At least one of these fields must be specified:</H3><UL>
<LI><INPUT TYPE="text" NAME="Qalias" MAXLENGTH="32">Alias
<LI><INPUT TYPE="text" NAME="Qname" MAXLENGTH="256">Name
<LI><INPUT TYPE="text" NAME="Qemail" MAXLENGTH="128">E-mail Address
<LI><INPUT TYPE="text" NAME="Qnickname" MAXLENGTH="120">Nickname
<LI><INPUT TYPE="text" NAME="Qoffice_phone" MAXLENGTH="60">Office Phone Number
<LI><INPUT TYPE="text" NAME="Qcallsign" MAXLENGTH="16">HAM Callsign
<LI><INPUT TYPE="text" NAME="Qproxy" MAXLENGTH="64">Proxy
<LI><INPUT TYPE="text" NAME="Qhigh_school" MAXLENGTH="30">High School
<LI><INPUT TYPE="text" NAME="Qslip" MAXLENGTH="256">SLIP Address
</UL>
<A HREF="(null)?Jform=16"><H3>Show additional fields to narrow query</H3></A>
<P>
<A HREF="(null)?Jform=1"><H3>Return more than default fields</H3></A>
<P>
<INPUT TYPE="submit">
</FORM>
<HR>
<ADDRESS>Questions, comments to: <a href="http://www.ncsa.uiuc.edu/SDG/People/jbrowne/jbrowne.html">Jim Browne</a>
</ADDRESS>
------------------------------------------------------------------------------
Why this should be part of the setup I've no clue. I'm deleting mine
now, and if anything breaks I'll let you know - otherwise I think it's
safe to assume phf is something worth losing....
Obvious lesson for me...I should know what _every_ CGI script in the
bin does. Having only just taken over is no excuse.
Simon
---
Dr Simon Juden, Telephone: +44 (0)1483 421213
Satellite Observing Systems, Fax : +44 (0)1483 428691
15 Church Street, Godalming, E-mail : simon@satobsys.co.uk
Surrey, GU7 1EL UK WWW : http://www.satobsys.co.uk/
