Phone book CGI phf allows remote execution of arbitrary commands
| http-cgi-phf (148) |  High Risk |
Description:
A vulnerability exists in the phf phone book that is pre-installed with several older could allow a remote attacker to execute arbitrary commands on a Web server. Exploit information for this vulnerability is widespread and many programs exist to actively probe entire networks for this vulnerability. An attacker could use the phone book program to deface a Web page.
This vulnerability could also be used by an attacker to gather information for further attacks or to gain root or administrator access to the target system.
Consequences:
Gain Access
Remedy:
No remedy available as of July 9, 2011.
References:
- CERT Advisory CA-1996-06: Vulnerability in NCSA/Apache CGI example code.
- FreeBSD Security Advisory FreeBSD-SA-96:02: apache httpd meta-character escaping.
- BID-629: phf Remote Command Execution Vulnerability
- CVE-1999-0067: phf CGI program allows remote command execution through shell metacharacters.
- OSVDB ID: 136: phf CGI Arbitrary Command Execution
- US-CERT VU#20276: phf CGI Script fails to guard against newline characters
Platforms Affected:
- Various vendors Common Gateway Interface (CGI)
Reported:
Feb 05, 1996
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net