From owner-freebsd-isp  Sun Jan 26 14:57:20 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id OAA00274
          for isp-outgoing; Sun, 26 Jan 1997 14:57:20 -0800 (PST)
Received: from www.trifecta.com (www.trifecta.com [206.245.150.3])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA00269
          for <freebsd-isp@FreeBSD.ORG>; Sun, 26 Jan 1997 14:57:17 -0800 (PST)
Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id SAA20626; Sun, 26 Jan 1997 18:00:19 -0500 (EST)
Date: Sun, 26 Jan 1997 18:00:19 -0500 (EST)
From: Dev Chanchani <dev@trifecta.com>
To: Christian Hochhold <expert@dusk.net>
cc: freebsd-isp@FreeBSD.ORG
Subject: Re: possible phf exploit?
In-Reply-To: <199701260743.DAA06284@eternal.dusk.net>
Message-ID: <Pine.BSF.3.91.970126175939.20505E-100000@www.trifecta.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Yes, check the advisory on phf that came out several month's ago :-) ..
phf I guess passes user input into a shell, so it is possible to trick 
phf into executing shell commands as the user of the webserver.



On Sun, 26 Jan 1997, Christian Hochhold wrote:

> Evenin'
> 
> While checking my access logs I came across a few very interesting
> things.. someone trying to get to the passwd file through pfh.
> The logs showed the attempted access as being in the following format:
> 
> /cgi-bin/phf/Q?alias=x%ff/bin/cat%20/etc/passwd
> 
> I don't run phf (nor have I checked it out per say), however
> to someone who does know/use phf this might prove interesting.
> 
> Comments? =)
> 
> Christian
>