COMMAND

    httpd (phf)

SYSTEMS AFFECTED

    NCSA or  Apache (earlier  than 1.1.1)  non-commercial Web  servers
    using util.c

PROBLEM

    Util.c traps escape  and control characters  but does not  trap \n
    which  allows  an  intruder  to  execute  a line return and then a
    UNIX command as the httpd owner.

    http://boogered.system.com/cgi-bin/phf?Qname=root%0Asome%20command%20here


    which would have the effect of dumping the /etc/passwd file to the
    screen.   The true  implications of  this bug  are that any remote
    user can execute ANY command on  the system as the UID/GID of  the
    httpd child  process.   As J-Man  Th' Shaman  pointed, people  are
    getting  through  packet  filtering  schemes  by initiating remote
    xterms, and even saw one case where a cracker emailed a  uuencoded
    root  shell  exploit  into  the  httpd  child  process owners mail
    spool, then uudecoded a binary  that would exploit another bug  to
    get root,  set up  a suid  root copy  of socdaemon  (which ties  a
    shell to a port), and execute it.

    Having phf  active in  vulnerable form  is wellcome  invitation to
    anyone willing to play with you.

SOLUTION

    Upgrade Apache to version 1.1.1 or greater
    Upgrade to the latest version of NCSA

    Patch util.c like so:

    replace

    if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
    OR
    if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){

    with

    if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
    OR
    if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){

    respectively.