On Wed, 4 Jun 1997, Arnaud Girsch wrote:
> > I have noticed on my WWW log files the following 2 entries.
> > some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140
> > some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143
Once All the httpd daemons come bundled with a script called phf this
script initially designed to build a mechanism like finger + whois
But there's a bug in this phf script that when it is used as above
could print any file (in this case /etc/passwd!!!!) or run any command
in root priviliege. I mean somebody tried to hack you passwd file.
The best thing to do is to go to your cgi-bin directory and issue
a "chmod 0 phf" and if you think you still need it pick a patched one
. I Can not remember where. Bu it measns that definitely somebody
tried to hack your system....
> > Does anyone know anything about these cgi scripts or programs?
> > Or how dangerous this is?
> These are well known cgi scripts containing security holes.
> The phf script coming with the default NCSA server is buggy, and should be
> disabled. (it allowas execution of shell programs)
> Arnaud Girsch -+- Marben Products, Inc. / DSET Corporation - San Jose, CA
> agirsch @
com -+- http://www.marben.com/ -+- http://www.dset.com/
sibernet internet security experts
and sokak 8/1 cankaya ankara turkiye 06680
tel : +90-312-4670198 (pbx) fax: +90-312-4670199
mail: info @