From owner-freebsd-isp Sun Jan 26 14:57:20 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA00274 for isp-outgoing; Sun, 26 Jan 1997 14:57:20 -0800 (PST) Received: from www.trifecta.com (www.trifecta.com [206.245.150.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA00269 for ; Sun, 26 Jan 1997 14:57:17 -0800 (PST) Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id SAA20626; Sun, 26 Jan 1997 18:00:19 -0500 (EST) Date: Sun, 26 Jan 1997 18:00:19 -0500 (EST) From: Dev Chanchani To: Christian Hochhold cc: freebsd-isp@FreeBSD.ORG Subject: Re: possible phf exploit? In-Reply-To: <199701260743.DAA06284@eternal.dusk.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Yes, check the advisory on phf that came out several month's ago :-) .. phf I guess passes user input into a shell, so it is possible to trick phf into executing shell commands as the user of the webserver. On Sun, 26 Jan 1997, Christian Hochhold wrote: > Evenin' > > While checking my access logs I came across a few very interesting > things.. someone trying to get to the passwd file through pfh. > The logs showed the attempted access as being in the following format: > > /cgi-bin/phf/Q?alias=x%ff/bin/cat%20/etc/passwd > > I don't run phf (nor have I checked it out per say), however > to someone who does know/use phf this might prove interesting. > > Comments? =) > > Christian >