Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Nov 1998 12:46:18 -0500 (EST)
From:      David B Swann <swann@nosc.mil>
To:        Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: cgi-bin/phf* security hole in apache
Message-ID:  <Pine.SUN.3.95q.981130124025.15846A-100000@anubis.nosc.mil>
In-Reply-To: <199811261619.RAA25745@gilberto.physik.RWTH-Aachen.DE>
next in thread | previous in thread | raw e-mail | index | archive | help 
The phf security hole allowed remote users to execute commands running as
the same ID as the web server.  If your web server runs as root, as many
systems do, they could execute commands as root on your system.  You
should NEVER run a web server as root, IMHO.

I had people from Italy, Russia, and the US download my password file
using this exploit.  They also tried other things like running the ps
command.  I assume they were trying to determine the ID that the web
server was running.  A few other things failed to work, but I only got
error messages in the log file.  I don't know WHAT they actually tried.
Since I was using shadow password files, I feel safe that they could not
crack a password.

I've used this exploit to go THROUGH a firewal and download a password
file from a system.  This was at the remote site's request though.

 __________________________________________________________________________
| Bryan Swann (swann@nosc.mil)  803/566-0086   803/554-0015 (Fax)          |
| Eagan McAllister Associates, Inc.                                        |
|                                                                          |
|  "Everything must be working perfectly, cause I don't smell any smoke"   |
 --------------------------------------------------------------------------

On Thu, 26 Nov 1998, Christoph Kukulies wrote:

> 
> Could someone explain the effect of the 'phf*' security hole
> (severeness) in earlier apache versions? I detected someone
> having tried to test it against my httpd on several machines
> (net wide scan).
> 
> -- 
> Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de
> http://blues.physik.rwth-aachen.de/hammond.html
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SUN.3.95q.981130124025.15846A-100000>