phf CGI Vulnerability

A vulnerability exists in the sample cgi-bin program, phf, which is included with NCSA HTTPd, and Apache Version 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the HTTPd is running as.

The phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip out dangerous characters prior to passing these strings along to shell-based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. Versions below each of the vulnerable Web servers are assumed to be vulnerable to exploitation via the phf example code.

If successfully exploited, unauthorized users can execute any command and download any file from the server.

This cgi-bin call, along with any others that are unused, should be removed. A patched version of the escape_shell_cmd() function is available as part of later HTTPd distributions. You can download the patched version fromhttp://hoohoo.ncsa.uiuc.edu.

Apache should be upgraded immediately. Newer versions of Apache Server can be downloaded from http://www.apache.org.