Great Circle Associates Firewalls
(July 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Dirty dogs
From: Chris Carlson <carlson @ cycon . com>
Date: Wed, 10 Jul 1996 18:13:47 -0400 (EDT)
To: meowmyx @ morebbs . com
Cc: firewalls @ GreatCircle . COM
In-reply-to: <9607101528 . 0LQZ300 @ morebbs . com> 

On Wed, 10 Jul 1996 meowmyx @
 morebbs .
 com wrote:

> 
> I was browsing through the system files of a web server that sits outside a
> firewall   There were a couple of interesting entries in the access log
> 
> 960412access:198.69.26.81  - - [12/Apr/1996:04;24;42 -0400]
> "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207
> 
> 960222access:152.163.192.15 - - [21/Jun/1996:12:19:22 -0400]
> "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207
> 
> 
>                                         MeOwMyX
> 

I found this reference to the cgi-bin program 'phf' at some archive site:

- Please disable the cgi-bin application 'phf' (provided in source code
- form with the NCSA & Apache httpd server distributions in its cgi-src
- directory as the file phf.c) that you have available on your WWW server:
- it contains a vulnerability that can be exploited by remote clients as an
- avenue through which to read files on your system (e.g. /etc/passwd), 
execute
- arbitrary commands, create and write to files, and to possibly gain
- unauthorized interactive (login) access without password authentication
- and without leaving a significant system audit trail.
-
- All of these actions can be accomplished with the effective permissions
- of the userid that your httpd daemon runs and services requests under.
-
- I have confirmed that your particular system is vulnerable to some
- degree. Please review your httpd access_log for instances of the string
- "phf" to see if attempts have been made to exploit this vulnerability on
- your system.
-
- (You will find instances of that string resulting from connections
- initiated by aleph1.mit.edu [18.238.0.138]; this was me verifying
- your system's vulnerability during a general survey of its widespread
- nature.)
-
- Thank you, and please pass word of this vulnerability to other WWW
- server administrators.
-
- - Nat Friedman (617-225-6733)
- ndf @
 linux .
 mit .
 edu


Hope this helps!

Chris

********************************************************************
* Chris Carlson				email: carlson @
 cycon .
 com   *
* Cypress Consulting, Inc.		http://www.cycon.com       *
* Cycon Labyrinth Firewall - Stateful Inspection, Packet Modifier  *
********************************************************************
References:
Indexed By Date Previous: Re: Web Server on DMZ
From: ecki @ lina . inka . de (Bernd Eckenfels)
Next: Re: Web Server on DMZ
From: bobk @ manzanita . DEV . 3Com . COM (Bob Konigsberg)
Indexed By Thread Previous: Re: Dirty dogs
From: Paul Danckaert <pauld @ umbc . edu>
Next: Re: Dirty dogs
From: Ben <adept @ cep . yale . edu>
Google
 
Search Internet Search www.greatcircle.com