httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: util.c hole and speed of security patch release
Date Mon, 22 Apr 1996 22:42:04 GMT
	Thanks for bringing up your points.

	The issue is not with the cgi-src/util.c bug but the
src/util.c bug. The most recent advisory was regarding src/util.c,
which I beleive is very hard to exploit, if at all. We released a fix
for that immediately.
	The problem you reported first was cgi-src/util.c, which, in
my opinion, was not as important because it isn't a core part of the
	No "discreet mail" was sent regarding the src/util.c bug,
only the cgi-src/util.c bug.

> I hope you don't mind that I've subscribed to this mailing list.  It
> takes *forever* to download from, and given that it
> is publically available there, I figured that the list membership
> would be open as well.  I'll just lurk for the most part, but I wanted
> to add my two cents on the newline/util.c issue.
> I hope you guys remember that I told you about the phf/util.c hole
> back in February:
>   Subject: Security problem in phf
>   To:,,
>   Date: Mon, 5 Feb 1996 16:51:05 -0600 (CST)
>   From: Jennifer Myers <>
>     Hello,
>   Both the NCSA httpd and Apache httpd distributions include a CGI
>   program "phf" which is a forms-based interface to Ph servers written
>   by Jim Browne <>.
>   "phf" can be made to execute commands by inserting "%0A" (newline) into the
>   URL of a phf query, followed by whatever command you wish to execute.
>   [..removed for brevity..]
>     The fix is to add \x0A to the characters which escape_shell_cmd() in
>   util.c will escape:
>   -        if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
>   +        if(ind("&;`'\"|*?~<>^()[]{}$\\\x0A",cmd[x]) != -1){
> I went to investigate some other widely-used CGI programs, and found
> the same type of error being repeated: a shell was being invoked on
> user-supplied input without the newline character being stripped or
> escaped.  Most of these programs tried to sanitize their input by
> escaping a list of shell meta-characters, but those lists of nasty
> characters, as provided by several CGI security FAQs did not include
> the newline character.
> When I saw that this error was widespread in public-domain CGI
> scripts, despite the author's attempts at being secure, I posted an
> advisory titled "CGI security vulnerability: %0A (newlines) in
> user-supplied data" later that day (Feb 5th) to
> comp.infosystems.www.authoring.cgi, comp.infosystems.www.servers.unix,
> and www-security and bugtraq with an example
> exploit, but without information on which CGI programs specifically
> are vulnerable.
> That posting is available at
> <>.
> I received an acknowledgment from Rob Hartill on Feb 8:
>   From  Thu Feb  8 22:46:13 1996
>   From: Rob Hartill <>
>   Message-Id: <>
>   Subject: Re: Security problem in phf
>   To: (Jennifer Myers)
>   Date: Thu, 8 Feb 1996 20:46:05 -0800 (PST)
>   Cc:,,
>   In-Reply-To: <> from "Jennifer Myers"
at Feb 5, 96 04:51:05 pm
>   Reply-To:
>   thanks for the warning.
>   cheers,
>   rob
>   [...]
> (And no reply from NCSA).
> Curiously, a version of Apache was released after Feb 8th without the
> problem fixed.  Not until IBM-ERS, CERT, CIAC, etc. picked up the
> advisory in March did it seem that there was any interest in fixing
> the bug!  Meanwhile, I have received reports that the bug is being
> actively exploited, because a good majority of sites have installed
> phf by way of installing all of the sample CGI code which comes with
> Apache and NCSA httpd.  CERT has also indicated that the bug is being
> actively exploited.
> I understand that the bug only results from insecure programming
> practice (interestingly, one of the first versions of phf in early
> 1994 did not escape *any* characters before passing them to popen()),
> but I'm curious why action was not taken.
> You (members of the list) complain that IBM-ERS or CIAC did not 
> inform you of the bug in src/util.c prior to releasing their advisories.
> Well, I quietly informed you of the bug in cgi-src/util.c on February
> 5th, right when I discovered it.  Better yet, I have never advertised
> publically of the bug in phf (though lots of people mailed me to say
> that they had found the problem in phf from my description) -- I
> figured I ought to give you a chance to deal with it first -- and
> instead, I released an "advisory" on the nature of the bug, which is
> present in many poorly written CGI programs, and the security FAQs at
> the time did not advise against, in not including the newline
> character in their list of shell meta-characters.
> Is this not what you asked of IBM-ERS and CIAC?  It seems you forget
> that you were advised of this bug by me a month before IBM-ERS first
> contacted you.
> This has been my first experience of releasing an "advisory" to the
> public.  It is disheartening that action is only taken after the bug
> is publicized on zillions of security advisories rather than at the
> time that discreet mail was sent to the author.
> And you say you would prefer the discreet mail.
> Sorry for all the negativity in this message. I think Apache is a
> wonderful product and I've just put 1.1b1 on my 80,000 hit/day server.
> Soon I want to learn the Apache API, which is why I have joined this
> list.
> --
> Jennifer Myers

Sameer Parekh					Voice:   510-601-9777x3
Community ConneXion, Inc.			FAX:     510-601-9734
The Internet Privacy Provider			Dialin:  510-658-6376 (or login as "guest")

View raw message