----------------------------------------------------------------------------

Service

http

Problem

The phf white pages directory service program distributed with the NCSA
httpd, versions NCSA/1.5a and earlier, and also included in the Apache
distribution prior to version Apache/1.0.5, passes unchecked newline
characters to the Unix shell.

Impact

Internet users can have arbitrary commands executed on the machine by the
owner of the http daemon.

Timeliness

Widely known since 12th March 1996.
Additionally, a list of sites likely to be vulnerable is available from
Digital's AltaVista facility.

Example

http://your.host.name/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

may retrieve a password file from a vulnerable machine.

Recommendations

   * A corrected version of the /cgi-src/util.c code is available in the
     current NCSA and Apache distributions.
   * Take care with respect to what programs you make available in the CGI
     directory generally, and remove any programs that are not in active
     use.

