[2985] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Sep 18 22:47:13 1996
To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
Date: Thu, 19 Sep 1996 00:11:53 +0100 (BST)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9609171631.AA18969@sun.cse.bris.ac.uk> from "Steff Watkins" at Sep 17, 96 05:31:44 pm
Reply-To: ben@algroup.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Steff Watkins wrote:
>
> Simon Juden wrote:
> =>
> =>Hmmm - phf seems part of standard setup, yet I've no idea what it
> =>does. Here's the result of "strings phf" - rather bizarre...
>
> =>Why this should be part of the setup I've no clue. I'm deleting mine
> =>now, and if anything breaks I'll let you know - otherwise I think it's
> =>safe to assume phf is something worth losing....
> =>
> =>Obvious lesson for me...I should know what _every_ CGI script in the
> =>bin does. Having only just taken over is no excuse.
>
> Hello,
>
> I think (though I cannot be sure) that 'phf' is NOT meant to do ANYTHING
> (in particular for the general webservice, that is). It is a released
> example of how to handle form inputs, that's all.
Or, it would sem, how not to handle form inputs.
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd, URL: http://www.algroup.co.uk
London, England. Apache Group member (http://www.apache.org)
