|
PHF Vulnerability PHF is a white pages like service (program) that was distributed with NCSA httpd and Appache www servers. I personally can't think of a single legimate use for phf. Anyway, back to the point, the problem is that phf can be used to retreve *any* file from a vulnerable machine. (this includes passwd file) The usage is quite simple, phf used http protocol, and therefore it can be used through a simple web browser. PHF is located in cgi directory of the server. The command line that exploits phf by retreving a pw file is: http://your.host.name/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd Where your.host.name is replaced with a name of the server in question. So, for example if somebody was going to attempt to exploit system www.cool.com, they would type http://www.cool.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd in the browser location window. If you are the sys admin, and are concerned with unauthorized users exploiting your system through a phf bug, here is a simple way to prevent it. Add the following line to the php.h file: #define PATTERN_RESTRICT ".*\\.phtml$" This line restricts phf so it can only display files that end in .phtl extension (therefore preventing retreval of the important files such as passwd) PHF bug is likelly to work only weak, unprotected systems, particulary, foreign systems (japanese for example). Duncan Silver of U2 www.hackersclub.com/uu