[2957] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Steff Watkins)
Tue Sep 17 15:05:56 1996
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
Date: Tue, 17 Sep 1996 17:31:44 +0100 (BST)
In-Reply-To: <9609171223.AA01861@satobsys.co.uk> from "Simon Juden" at Sep 17, 96 01:23:28 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Simon Juden wrote:
=>
=>Hmmm - phf seems part of standard setup, yet I've no idea what it
=>does. Here's the result of "strings phf" - rather bizarre...
=>Why this should be part of the setup I've no clue. I'm deleting mine
=>now, and if anything breaks I'll let you know - otherwise I think it's
=>safe to assume phf is something worth losing....
=>
=>Obvious lesson for me...I should know what _every_ CGI script in the
=>bin does. Having only just taken over is no excuse.
Hello,
I think (though I cannot be sure) that 'phf' is NOT meant to do ANYTHING
(in particular for the general webservice, that is). It is a released
example of how to handle form inputs, that's all.
Since using the NCSA webserver (version 1.3), I have been lead to believe
that you should NOT have these executables in your 'standard' setup. They
are given PURELY as examples of how things can be done, as a guide to
programmers and such like on how to accomplish tasks.
I think about the only distributed CGI program that may be of any use is
the imagemap.c source, and even that is redundant now as you can compile
imagemap support into the webserver.
I thought it was generally accepted that this was the case, and that when
people got the complete distribution from NCSA (or wherever), they near
automatically 'mv cgi-bin cgi-dist', so that it was out of the way and
generally not accessible across the web.
Without question, I think it is the best policy to have NO files in your
cgi-bin directory whose purpose is either unknown or vague to you. If they
come with a distributed release, move them somewhere safe until you know
what they do and whether they have a purpose in YOUR webservice. If the
owner of a script is vague about its function, make it '-x' until they can
be a little more clear about it.
I am currently rebuilding the web here at Bristol University, and moving
the webservers from Cern 3.0 to NCSA. With the NCSA release come a
'standard cgi-bin' directory. I always 'mv cgi-bin cgi-dist', so that it
is out of the way but still there IF (and only if) I need any of its files
at which point they get copied back into cgi-bin. Since doing that, on a
total of eight webservers serving 16,000 potential web authors, I have
moved NONE from cgi-dist to cgi-bin.
As I said before, I believe that they are meant as 'example CGIs' (I even
believe that I have read that in one of NCSA'a own documents).
If you are using untested software, which unknown functionality, then you
are opening a whole world of hurt for yourself. The hackers who have used
this attack know about 'phf' (because it is a distributed program) and
they know of the holes that it contains. They are opportunists, who take
the chance to see if YOUR webserver has 'phf' and if it does, whether that
'phf' has the holes they know about.
My advice to you, and to every other webadmin everywhere, is to move the
NCSA (and any other) distributed cgi-bins to somewhere safe and leave them
there until you know for definite that you need them.
Your cgi-bin directory should ONLY be populated by files that you know are
in use, and you feel safe to use on your system.
If you are NOT running your webservice in the fashion, you may as well
just post all your (unencrypted) password out on 'alt.hackers' and sit
back cos those boys will find the holes and they will use them!!!
Steff
: Steff Watkins, General Computer-type being
: University of Bristol, Clifton, Bristol, AVON, BS8 1TH, UK
:
: RFC-822 : Steff.Watkins@bris.ac.uk
: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
: Phone: +44 177 287869 (external) 3046 / 7651 (internal)
