httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jennifer Myers <>
Subject util.c hole and speed of security patch release
Date Mon, 22 Apr 1996 22:25:09 GMT

I hope you don't mind that I've subscribed to this mailing list.  It
takes *forever* to download from, and given that it
is publically available there, I figured that the list membership
would be open as well.  I'll just lurk for the most part, but I wanted
to add my two cents on the newline/util.c issue.

I hope you guys remember that I told you about the phf/util.c hole
back in February:

  Subject: Security problem in phf
  Date: Mon, 5 Feb 1996 16:51:05 -0600 (CST)
  From: Jennifer Myers <>


  Both the NCSA httpd and Apache httpd distributions include a CGI
  program "phf" which is a forms-based interface to Ph servers written
  by Jim Browne <>.

  "phf" can be made to execute commands by inserting "%0A" (newline) into the
  URL of a phf query, followed by whatever command you wish to execute.

  [..removed for brevity..]

    The fix is to add \x0A to the characters which escape_shell_cmd() in
  util.c will escape:

  -        if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
  +        if(ind("&;`'\"|*?~<>^()[]{}$\\\x0A",cmd[x]) != -1){

I went to investigate some other widely-used CGI programs, and found
the same type of error being repeated: a shell was being invoked on
user-supplied input without the newline character being stripped or
escaped.  Most of these programs tried to sanitize their input by
escaping a list of shell meta-characters, but those lists of nasty
characters, as provided by several CGI security FAQs did not include
the newline character.

When I saw that this error was widespread in public-domain CGI
scripts, despite the author's attempts at being secure, I posted an
advisory titled "CGI security vulnerability: %0A (newlines) in
user-supplied data" later that day (Feb 5th) to
comp.infosystems.www.authoring.cgi, comp.infosystems.www.servers.unix, and www-security and bugtraq with an example
exploit, but without information on which CGI programs specifically
are vulnerable.

That posting is available at

I received an acknowledgment from Rob Hartill on Feb 8:

  From  Thu Feb  8 22:46:13 1996
  From: Rob Hartill <>
  Message-Id: <>
  Subject: Re: Security problem in phf
  To: (Jennifer Myers)
  Date: Thu, 8 Feb 1996 20:46:05 -0800 (PST)
  In-Reply-To: <> from "Jennifer Myers" at
Feb 5, 96 04:51:05 pm
  thanks for the warning.


(And no reply from NCSA).

Curiously, a version of Apache was released after Feb 8th without the
problem fixed.  Not until IBM-ERS, CERT, CIAC, etc. picked up the
advisory in March did it seem that there was any interest in fixing
the bug!  Meanwhile, I have received reports that the bug is being
actively exploited, because a good majority of sites have installed
phf by way of installing all of the sample CGI code which comes with
Apache and NCSA httpd.  CERT has also indicated that the bug is being
actively exploited.

I understand that the bug only results from insecure programming
practice (interestingly, one of the first versions of phf in early
1994 did not escape *any* characters before passing them to popen()),
but I'm curious why action was not taken.

You (members of the list) complain that IBM-ERS or CIAC did not 
inform you of the bug in src/util.c prior to releasing their advisories.

Well, I quietly informed you of the bug in cgi-src/util.c on February
5th, right when I discovered it.  Better yet, I have never advertised
publically of the bug in phf (though lots of people mailed me to say
that they had found the problem in phf from my description) -- I
figured I ought to give you a chance to deal with it first -- and
instead, I released an "advisory" on the nature of the bug, which is
present in many poorly written CGI programs, and the security FAQs at
the time did not advise against, in not including the newline
character in their list of shell meta-characters.

Is this not what you asked of IBM-ERS and CIAC?  It seems you forget
that you were advised of this bug by me a month before IBM-ERS first
contacted you.

This has been my first experience of releasing an "advisory" to the
public.  It is disheartening that action is only taken after the bug
is publicized on zillions of security advisories rather than at the
time that discreet mail was sent to the author.

And you say you would prefer the discreet mail.

Sorry for all the negativity in this message. I think Apache is a
wonderful product and I've just put 1.1b1 on my 80,000 hit/day server.
Soon I want to learn the Apache API, which is why I have joined this

Jennifer Myers

View raw message