VAR-199603-0003
Vulnerability from variot - Updated: 2024-01-29 19:09phf CGI program allows remote command execution through shell metacharacters. This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. A vulnerability exists in the sample cgi bin program, phf, which is included with NCSA httpd, and Apache 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the httpd is run as. The phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. Versions below each of the vulnerable webservers are assumed to be vulnerable to exploitation via the phf example code
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-199603-0003",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "http server",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "1.0.3"
},
{
"model": "httpd",
"scope": "eq",
"trust": 1.0,
"vendor": "ncsa",
"version": "1.5a"
},
{
"model": "httpd a-export",
"scope": "eq",
"trust": 0.3,
"vendor": "ncsa",
"version": "1.5"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "1.0.3"
}
],
"sources": [
{
"db": "BID",
"id": "629"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ncsa:ncsa_httpd:1.5a:*:export:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:1.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "This bug was first made public by the IBM ERS Team. However, the bug was reported to them by Jennifer Myers early in 1996. Previous to that the exploit had been in wide distribution circles among hackers. The actual release date of the IBM ERS Advisory (E",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
}
],
"trust": 0.6
},
"cve": "CVE-1999-0067",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-1999-0067",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-1999-0067",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#20276",
"trust": 0.8,
"value": "60.48"
},
{
"author": "CNNVD",
"id": "CNNVD-199603-002",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-1999-0067",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "phf CGI program allows remote command execution through shell metacharacters. This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. A vulnerability exists in the sample cgi bin program, phf, which is included with NCSA httpd, and Apache 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the httpd is run as. \nThe phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. \nVersions below each of the vulnerable webservers are assumed to be vulnerable to exploitation via the phf example code",
"sources": [
{
"db": "NVD",
"id": "CVE-1999-0067"
},
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "BID",
"id": "629"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "629",
"trust": 2.0
},
{
"db": "OSVDB",
"id": "136",
"trust": 1.7
},
{
"db": "NVD",
"id": "CVE-1999-0067",
"trust": 1.7
},
{
"db": "CERT/CC",
"id": "VU#20276",
"trust": 0.9
},
{
"db": "CERT/CC",
"id": "CA-1996-06",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-1999-0067",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"db": "BID",
"id": "629"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"id": "VAR-199603-0003",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.33333334
},
"last_update_date": "2024-01-29T19:09:17.931000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "stixify-core",
"trust": 0.1,
"url": "https://github.com/signalscorps/stixify-core "
},
{
"title": "obstracts-core",
"trust": 0.1,
"url": "https://github.com/signalscorps/obstracts-core "
},
{
"title": "Common-Vulnerabilities-Exposures",
"trust": 0.1,
"url": "https://github.com/lauravoicu/common-vulnerabilities-exposures "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/lauravoicu/vulnerabilities "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-1999-0067"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.cert.org/advisories/ca-1996-06.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/629"
},
{
"trust": 1.7,
"url": "http://www.osvdb.org/136"
},
{
"trust": 0.8,
"url": "http://www.ers.ibm.com/tech-info/advisories/sva/1996/ers-sva-e01-1996:002.1.txt"
},
{
"trust": 0.8,
"url": "http://www.ers.ibm.com/tech-info/advisories/sva/1996/ers-sva-e01-1996:002.2.txt"
},
{
"trust": 0.8,
"url": "ftp://ftp.auscert.org.au/pub/auscert/advisory/aa-96.01.vulnerability.in.ncsa.apache.cgi.example.cod"
},
{
"trust": 0.8,
"url": " ftp://info.cert.org/pub/cert_advisories/ca-96.06.cgi_example_code"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://github.com/signalscorps/stixify-core"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.kb.cert.org/vuls/id/20276"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"db": "BID",
"id": "629"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2001-01-28T00:00:00",
"db": "CERT/CC",
"id": "VU#20276"
},
{
"date": "1996-03-20T00:00:00",
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"date": "1996-03-20T00:00:00",
"db": "BID",
"id": "629"
},
{
"date": "1996-03-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"date": "1996-03-20T05:00:00",
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-04-17T00:00:00",
"db": "CERT/CC",
"id": "VU#20276"
},
{
"date": "2008-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"date": "1996-03-20T00:00:00",
"db": "BID",
"id": "629"
},
{
"date": "2007-02-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"date": "2024-01-26T20:00:52.747000",
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "phf Remote Command Execution Vulnerability",
"sources": [
{
"db": "BID",
"id": "629"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…