Date: Sun, 26 Jan 1997 18:00:19 -0500 (EST) From: Dev Chanchani <dev@trifecta.com> To: Christian Hochhold <expert@dusk.net> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: possible phf exploit? Message-ID: <Pine.BSF.3.91.970126175939.20505E-100000@www.trifecta.com> In-Reply-To: <199701260743.DAA06284@eternal.dusk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, check the advisory on phf that came out several month's ago :-) .. phf I guess passes user input into a shell, so it is possible to trick phf into executing shell commands as the user of the webserver. On Sun, 26 Jan 1997, Christian Hochhold wrote: > Evenin' > > While checking my access logs I came across a few very interesting > things.. someone trying to get to the passwd file through pfh. > The logs showed the attempted access as being in the following format: > > /cgi-bin/phf/Q?alias=x%ff/bin/cat%20/etc/passwd > > I don't run phf (nor have I checked it out per say), however > to someone who does know/use phf this might prove interesting. > > Comments? =) > > Christian >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970126175939.20505E-100000>