[2970] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Andrew Wilson)
Wed Sep 18 00:21:20 1996
From: Andrew Wilson <andrew@aaaaaaaa.demon.co.uk>
To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
Date: Wed, 18 Sep 1996 03:01:19 +0100 (BST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9609171631.AA18969@sun.cse.bris.ac.uk> from "Steff Watkins" at Sep 17, 96 05:31:44 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> Simon Juden wrote:
> =>
> =>Hmmm - phf seems part of standard setup, yet I've no idea what it
> =>does. Here's the result of "strings phf" - rather bizarre...
[blink!]
Ask the original author? Read the source code?
> Hello,
>
> I think (though I cannot be sure) that 'phf' is NOT meant to do ANYTHING
> (in particular for the general webservice, that is). It is a released
> example of how to handle form inputs, that's all.
Yep.
[yeah, homeboy, you installed it on your tiny leetle
webserver out in the boondocks and now your ass is getting
fried by hackers from all over the planet, and it's
all your fault]
> Since using the NCSA webserver (version 1.3), I have been lead to believe
> that you should NOT have these executables in your 'standard' setup. They
> are given PURELY as examples of how things can be done, as a guide to
> programmers and such like on how to accomplish tasks.
Yep.
[yeah, uuh, etc...]
> I think about the only distributed CGI program that may be of any use is
> the imagemap.c source, and even that is redundant now as you can compile
> imagemap support into the webserver.
>
> I thought it was generally accepted that this was the case, and that when
> people got the complete distribution from NCSA (or wherever), they near
> automatically 'mv cgi-bin cgi-dist', so that it was out of the way and
> generally not accessible across the web.
This has never been generally accepted, though it is certainly the
correct thing to do. [apache group are now,seemingly, of a mind
to not distribute a workable 'example' cgi-bin set, for fear that
that people will assume these scripts have been okeyed and should
be immediately added to the local site's set]
> Without question, I think it is the best policy to have NO files in your
> cgi-bin directory whose purpose is either unknown or vague to you. If they
> come with a distributed release, move them somewhere safe until you know
> what they do and whether they have a purpose in YOUR webservice. If the
> owner of a script is vague about its function, make it '-x' until they can
> be a little more clear about it.
Excellent, if not ESSENTIAL advice.
> I am currently rebuilding the web here at Bristol University, and moving
> the webservers from Cern 3.0 to NCSA. With the NCSA release come a
> 'standard cgi-bin' directory. I always 'mv cgi-bin cgi-dist', so that it
> is out of the way but still there IF (and only if) I need any of its files
> at which point they get copied back into cgi-bin. Since doing that, on a
> total of eight webservers serving 16,000 potential web authors, I have
> moved NONE from cgi-dist to cgi-bin.
>
> As I said before, I believe that they are meant as 'example CGIs' (I even
> believe that I have read that in one of NCSA'a own documents).
It seems that for apache group these are intended as examples.
None of the scripts are maintained on a day-to-day basis by the
authors of that server.
> If you are using untested software, which unknown functionality, then you
> are opening a whole world of hurt for yourself. The hackers who have used
> this attack know about 'phf' (because it is a distributed program) and
> they know of the holes that it contains. They are opportunists, who take
> the chance to see if YOUR webserver has 'phf' and if it does, whether that
> 'phf' has the holes they know about.
>
> My advice to you, and to every other webadmin everywhere, is to move the
> NCSA (and any other) distributed cgi-bins to somewhere safe and leave them
> there until you know for definite that you need them.
>
> Your cgi-bin directory should ONLY be populated by files that you know are
> in use, and you feel safe to use on your system.
>
> If you are NOT running your webservice in the fashion, you may as well
> just post all your (unencrypted) password out on 'alt.hackers' and sit
> back cos those boys will find the holes and they will use them!!!
I've been reading this list for years. This one post promotes the
BEST in caution. Never run someone else's programs on your computer.
Never run someone else's programs on your computer.
Ever.
> Steff
>
> : Steff Watkins, General Computer-type being
> : University of Bristol, Clifton, Bristol, AVON, BS8 1TH, UK
> :
> : RFC-822 : Steff.Watkins@bris.ac.uk
> : X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
> : Phone: +44 177 287869 (external) 3046 / 7651 (internal)
Ay.
Andrew.Wilson@cm.cf.ac.uk http://www.cm.cf.ac.uk/User/Andrew.Wilson/
