var-199603-0003
Vulnerability from variot
phf CGI program allows remote command execution through shell metacharacters. This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. A vulnerability exists in the sample cgi bin program, phf, which is included with NCSA httpd, and Apache 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the httpd is run as. The phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. Versions below each of the vulnerable webservers are assumed to be vulnerable to exploitation via the phf example code
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-199603-0003",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "http server",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "1.0.3"
},
{
"model": "httpd",
"scope": "eq",
"trust": 1.0,
"vendor": "ncsa",
"version": "1.5a"
},
{
"model": "httpd a-export",
"scope": "eq",
"trust": 0.3,
"vendor": "ncsa",
"version": "1.5"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "1.0.3"
}
],
"sources": [
{
"db": "BID",
"id": "629"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ncsa:ncsa_httpd:1.5a:*:export:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:1.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "This bug was first made public by the IBM ERS Team. However, the bug was reported to them by Jennifer Myers early in 1996. Previous to that the exploit had been in wide distribution circles among hackers. The actual release date of the IBM ERS Advisory (E",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
}
],
"trust": 0.6
},
"cve": "CVE-1999-0067",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-1999-0067",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-1999-0067",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#20276",
"trust": 0.8,
"value": "60.48"
},
{
"author": "CNNVD",
"id": "CNNVD-199603-002",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-1999-0067",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "phf CGI program allows remote command execution through shell metacharacters. This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. A vulnerability exists in the sample cgi bin program, phf, which is included with NCSA httpd, and Apache 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the httpd is run as. \nThe phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. \nVersions below each of the vulnerable webservers are assumed to be vulnerable to exploitation via the phf example code",
"sources": [
{
"db": "NVD",
"id": "CVE-1999-0067"
},
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "BID",
"id": "629"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "629",
"trust": 2.0
},
{
"db": "OSVDB",
"id": "136",
"trust": 1.7
},
{
"db": "NVD",
"id": "CVE-1999-0067",
"trust": 1.7
},
{
"db": "CERT/CC",
"id": "VU#20276",
"trust": 0.9
},
{
"db": "CERT/CC",
"id": "CA-1996-06",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-1999-0067",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"db": "BID",
"id": "629"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"id": "VAR-199603-0003",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.33333334
},
"last_update_date": "2024-01-29T19:09:17.931000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "stixify-core",
"trust": 0.1,
"url": "https://github.com/signalscorps/stixify-core "
},
{
"title": "obstracts-core",
"trust": 0.1,
"url": "https://github.com/signalscorps/obstracts-core "
},
{
"title": "Common-Vulnerabilities-Exposures",
"trust": 0.1,
"url": "https://github.com/lauravoicu/common-vulnerabilities-exposures "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/lauravoicu/vulnerabilities "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-1999-0067"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.cert.org/advisories/ca-1996-06.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/629"
},
{
"trust": 1.7,
"url": "http://www.osvdb.org/136"
},
{
"trust": 0.8,
"url": "http://www.ers.ibm.com/tech-info/advisories/sva/1996/ers-sva-e01-1996:002.1.txt"
},
{
"trust": 0.8,
"url": "http://www.ers.ibm.com/tech-info/advisories/sva/1996/ers-sva-e01-1996:002.2.txt"
},
{
"trust": 0.8,
"url": "ftp://ftp.auscert.org.au/pub/auscert/advisory/aa-96.01.vulnerability.in.ncsa.apache.cgi.example.cod"
},
{
"trust": 0.8,
"url": " ftp://info.cert.org/pub/cert_advisories/ca-96.06.cgi_example_code"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://github.com/signalscorps/stixify-core"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.kb.cert.org/vuls/id/20276"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#20276"
},
{
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"db": "BID",
"id": "629"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2001-01-28T00:00:00",
"db": "CERT/CC",
"id": "VU#20276"
},
{
"date": "1996-03-20T00:00:00",
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"date": "1996-03-20T00:00:00",
"db": "BID",
"id": "629"
},
{
"date": "1996-03-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"date": "1996-03-20T05:00:00",
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-04-17T00:00:00",
"db": "CERT/CC",
"id": "VU#20276"
},
{
"date": "2008-09-09T00:00:00",
"db": "VULMON",
"id": "CVE-1999-0067"
},
{
"date": "1996-03-20T00:00:00",
"db": "BID",
"id": "629"
},
{
"date": "2007-02-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-199603-002"
},
{
"date": "2024-01-26T20:00:52.747000",
"db": "NVD",
"id": "CVE-1999-0067"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "phf Remote Command Execution Vulnerability",
"sources": [
{
"db": "BID",
"id": "629"
},
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-199603-002"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.