COMMAND

    phf

SYSTEMS AFFECTED

    All known versions of phf (patched and unpatched)

PROBLEM

    'proton' found following.

        ...
        
        main(int argc, char *argv[]) {
            entry entries[64];
        
        ...
        
            for(x=0;cl[0] != '\0';x++) {
                m=x;
                getword(entries[x].val,cl,'&');
                plustospace(entries[x].val);
                unescape_url(entries[x].val);
                getword(entries[x].name,entries[x].val,'=');
            }
        
        ...

    The  `for'  loop  does  not  verify  that  x is less than 64.  The
    `entries'  struct  being  a  flat  data  type  will cause any data
    written  into  the  64th  entry  to  overwrite the return pointer,
    allowing malicious code to be executed.

    This bug is unrelated to the bad chars filter problem that is  the
    best known vulnerability of phf.

SOLUTION

    Yes - phf is an old script but it is still fairly common.

    Locate  and  DELETE  all  versions  of  phf.   Do  NOT  rename the
    executable, crackers might  discover the new  name and exploit  it
    (this is not uncommon).