httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: Security problem in phf (fwd)
Date Fri, 09 Feb 1996 07:21:50 GMT
> 
> 
> cgi-src/phf.c   bye bye ?

Presumably the bug is in the CGI code, not phf? Or is this a phf specific
thing?

Cheers,

Ben.

> 
> Forwarded message:
> > From jmyers@marigold.eecs.nwu.edu  Mon Feb  5 17:13:11 1996
> > Message-Id: <199602052251.QAA04794@marigold.eecs.nwu.edu>
> > Subject: Security problem in phf
> > To: jbrowne@uiuc.edu, apache-bugs@apache.org, httpd@hoohoo.ncsa.uiuc.edu
> > Date: Mon, 5 Feb 1996 16:51:05 -0600 (CST)
> > From: Jennifer Myers <jmyers@marigold.eecs.nwu.edu>
> > X-Mailer: ELM [version 2.4 PL25]
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset=US-ASCII
> > Content-Transfer-Encoding: 7bit
> > 
> > Hello,
> > 
> > Both the NCSA httpd and Apache httpd distributions include a CGI
> > program "phf" which is a forms-based interface to Ph servers written
> > by Jim Browne <jbrowne@uiuc.edu>.
> > 
> > "phf" can be made to execute commands by inserting "%0A" (newline) into the
> > URL of a phf query, followed by whatever command you wish to execute.
> > 
> > Example:
> > 
> > http://hoohoo.ncsa.uiuc.edu:80/cgi-bin/phf?Jserver=ns.uiuc.edu&Qalias=jbrowne&Qname=&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip=%0Als
> > ^^^^^
> > 
> > Output:
> > ------
> > Query Results
> > 
> > /usr/local/bin/ph -m -s ns.uiuc.edu alias=jbrowne slip= ls 
> > 
> > -507:slip:unknown field.
> > 500:Did not understand query.
> > AA
> > AA.pl
> > archie
> > calendar
> > cgi-dump
> > change-passwd
> > date
> > donothing
> > [...]
> > -------
> > 
> > The fix is to add \x0A to the characters which escape_shell_cmd() in
> > util.c will escape:
> > 
> > -        if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
> > +        if(ind("&;`'\"|*?~<>^()[]{}$\\\x0A",cmd[x]) != -1){
> > 
> > 
> > Thanks,
> > Jennifer Myers
> > 
> 

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant        Fax:   +44 (181) 994 6472
and Technical Director      Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Mime
View raw message