Signature Detail

HTTP: NCSA PHF Arbitrary Command Execution

This signature detects attempts to exploit a known vulnerability in the phf script included with some Web servers. Attackers can send URL requests with maliciously embedded strings that can allow them to execute arbitrary commands on the server.

Extended Description

A vulnerability exists in the sample cgi bin program, phf, which is included with NCSA httpd, and Apache 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the httpd is run as. The phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. Versions below each of the vulnerable webservers are assumed to be vulnerable to exploitation via the phf example code.

Affected Products

• Apache Software Foundation Apache 1.0.3
• NCSA httpd 1.5.0 a-export

References

• BugTraq: 629
• CVE: CVE-1999-0067
• URL: http://www.securityfocus.com/advisories/126
• URL: http://www.securityfocus.com/advisories/1451