From owner-freebsd-security Mon Nov 30 09:54:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA20079 for freebsd-security-outgoing; Mon, 30 Nov 1998 09:54:14 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from anubis.nosc.mil (anubis.nosc.mil [198.253.16.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA20074 for ; Mon, 30 Nov 1998 09:54:13 -0800 (PST) (envelope-from swann@anubis.nosc.mil) Received: from localhost (swann@localhost) by anubis.nosc.mil (8.8.7/8.8.7) with SMTP id MAA16236; Mon, 30 Nov 1998 12:46:18 -0500 (EST) Date: Mon, 30 Nov 1998 12:46:18 -0500 (EST) From: David B Swann To: Christoph Kukulies cc: freebsd-security@FreeBSD.ORG Subject: Re: cgi-bin/phf* security hole in apache In-Reply-To: <199811261619.RAA25745@gilberto.physik.RWTH-Aachen.DE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The phf security hole allowed remote users to execute commands running as the same ID as the web server. If your web server runs as root, as many systems do, they could execute commands as root on your system. You should NEVER run a web server as root, IMHO. I had people from Italy, Russia, and the US download my password file using this exploit. They also tried other things like running the ps command. I assume they were trying to determine the ID that the web server was running. A few other things failed to work, but I only got error messages in the log file. I don't know WHAT they actually tried. Since I was using shadow password files, I feel safe that they could not crack a password. I've used this exploit to go THROUGH a firewal and download a password file from a system. This was at the remote site's request though. __________________________________________________________________________ | Bryan Swann (swann@nosc.mil) 803/566-0086 803/554-0015 (Fax) | | Eagan McAllister Associates, Inc. | | | | "Everything must be working perfectly, cause I don't smell any smoke" | -------------------------------------------------------------------------- On Thu, 26 Nov 1998, Christoph Kukulies wrote: > > Could someone explain the effect of the 'phf*' security hole > (severeness) in earlier apache versions? I detected someone > having tried to test it against my httpd on several machines > (net wide scan). > > -- > Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > http://blues.physik.rwth-aachen.de/hammond.html > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message