Brief description: The PHF CGI script passes shell mateacharacters through and executes them.
Full description: The phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls.
Components: Apache 1.0.3 and below (trusted), NSCA httpd 1.5a-export and below (trusted); in these distributions any CGI program built using the sample code that allows input from the remote user and pases that input to a shell
Systems:
Effect(s) of exploiting: A remote user can execute commands with the privileges of the web server.
Detecting the hole:
Fixing the hole:
if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
to
if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
Also, change the same line in
cgi-src/util.c
in exactly the same way.
Other information:
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
CVE Number: CVE-1999-0067 -- CGI phf program allows remote command execution through shell metacharacters.
Attack:
Advisories: CIAC Advisories G-20 and G-17 ; CERT Advisory CA-96:06, Vulnerability in NCSA/Apache CGI example code ; ISS X-Force entry http-cgi-phf Security Focus database entry 629 ; the original IBM advisories are ERS-SVA-E01-1996:002.1 and ERS-SVA-E01-1996:002.2
Related Vulnerabilities:
Reporting: Jennifer Myers in IBM ERS Advisory (ERS-SVA-E01-1996:002.1) (16 April 1996 )