PHF Vulnerability

PHF is a white pages like service (program) that was distributed with NCSA
httpd and Appache www servers. I personally can't think of a single
legimate use for phf. Anyway, back to the point, the problem is that phf
can be used to retreve *any* file from a vulnerable machine. (this includes
passwd file) The usage is quite simple, phf used http protocol, and
therefore it can be used through a simple web browser. PHF is located in
cgi directory of the server. The command line that exploits phf by
retreving a pw file is:
http://your.host.name/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

Where your.host.name is replaced with a name of the server in question. So,
for example if somebody was going to attempt to exploit system
www.cool.com, they would type
http://www.cool.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd in the
browser location window.

If you are the sys admin, and are concerned with unauthorized users
exploiting your system through a phf bug, here is a simple way to prevent
it. Add the following line to the php.h file: #define PATTERN_RESTRICT
".*\\.phtml$" This line restricts phf so it can only display files that end
in .phtl extension (therefore preventing retreval of the important files
such as passwd) PHF bug is likelly to work only weak, unprotected systems,
particulary, foreign systems (japanese for example).

Duncan Silver of U2
www.hackersclub.com/uu