From owner-freebsd-isp  Sun Jan 26 10:03:05 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id KAA17048
          for isp-outgoing; Sun, 26 Jan 1997 10:03:05 -0800 (PST)
Received: from gamma.pair.com (gamma.pair.com [207.86.128.13])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA17043
          for <freebsd-isp@FreeBSD.ORG>; Sun, 26 Jan 1997 10:03:01 -0800 (PST)
Received: from [207.104.16.21] (ppp-207-104-16-21.snrf01.pacbell.net [207.104.16.21]) by gamma.pair.com (8.8.4/8.6.12) with SMTP id NAA19914; Sun, 26 Jan 1997 13:02:50 -0500 (EST)
X-Envelope-To: freebsd-isp@FreeBSD.ORG
X-Sender: erich@mail.powerwareintl.com (Unverified)
Message-Id: <v02130404af113a1108f1@[207.104.16.65]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sun, 26 Jan 1997 10:02:53 -0800
To: Ulf Zimmermann <ulf@Alameda.net>, Christian Hochhold <expert@dusk.net>,
        freebsd-isp@FreeBSD.ORG
From: erich@powerwareintl.com (Eric Harley)
Subject: Re: possible phf exploit?
Sender: owner-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

You can all thank 2600 Magazine. last month they did an issue on phf and
how to crack it. Interesting article, but since the problem was solved a
long time ago, the article is useless.

>This an old thing. I am getting serveral hits per month, trying that.
>
>Ulf.
>
>At 03:43 AM 1/26/97 -0400, Christian Hochhold wrote:
>>Evenin'
>>
>>While checking my access logs I came across a few very interesting
>>things.. someone trying to get to the passwd file through pfh.
>>The logs showed the attempted access as being in the following format:
>>
>>/cgi-bin/phf/Q?alias=x%ff/bin/cat%20/etc/passwd
>>
>>I don't run phf (nor have I checked it out per say), however
>>to someone who does know/use phf this might prove interesting.
>>

                                     Eric
Eric Harley, VP Information Systems & CIO
Powerware International
http://www.powerwareintl.com/

Email:  eric.harley@powerwareintl.com
Web:    http://www.powerwareintl.com/staff/erich/
PGP:    http://www.powerwareintl.com/staff/erich/pgp.txt