From owner-freebsd-isp  Sat Jan 25 23:46:54 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id XAA24715
          for isp-outgoing; Sat, 25 Jan 1997 23:46:54 -0800 (PST)
Received: from eternal.dusk.net (root@eternal.dusk.net [207.219.16.2])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA24695
          for <freebsd-isp@freebsd.org>; Sat, 25 Jan 1997 23:46:47 -0800 (PST)
Received: (from expert@localhost)
          by eternal.dusk.net (8.8.4/8.8.4)
	  id DAA06284 for freebsd-isp@freebsd.org; Sun, 26 Jan 1997 03:43:35 -0400 (AST)
From: Christian Hochhold <expert@dusk.net>
Message-Id: <199701260743.DAA06284@eternal.dusk.net>
Subject: possible phf exploit?
To: freebsd-isp@freebsd.org
Date: Sun, 26 Jan 1997 03:43:35 -0400 (AST)
X-URL: http://www.dusk.net & http://www.vampires.net
X-Moto: Live for today and let the future take care of itself
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Evenin'

While checking my access logs I came across a few very interesting
things.. someone trying to get to the passwd file through pfh.
The logs showed the attempted access as being in the following format:

/cgi-bin/phf/Q?alias=x%ff/bin/cat%20/etc/passwd

I don't run phf (nor have I checked it out per say), however
to someone who does know/use phf this might prove interesting.

Comments? =)

Christian