Details of VAR-199603-0003

ID

VAR-199603-0003

CVE

CVE-1999-0067

TITLE

phf Remote Command Execution Vulnerability

Trust: 0.9

sources: BID: 629 // CNNVD: CNNVD-199603-002

DESCRIPTION

phf CGI program allows remote command execution through shell metacharacters. This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. A vulnerability exists in the sample cgi bin program, phf, which is included with NCSA httpd, and Apache 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the httpd is run as. The phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. Versions below each of the vulnerable webservers are assumed to be vulnerable to exploitation via the phf example code

Trust: 1.98

sources: NVD: CVE-1999-0067 // CERT/CC: VU#20276 // BID: 629 // VULMON: CVE-1999-0067

AFFECTED PRODUCTS

vendor:	apache	model:	http server	scope:	eq	version:	1.0.3	Trust: 1.6
vendor:	ncsa	model:	httpd	scope:	eq	version:	1.5a	Trust: 1.0
vendor:	ncsa	model:	httpd a-export	scope:	eq	version:	1.5	Trust: 0.3
vendor:	apache	model:	apache	scope:	eq	version:	1.0.3	Trust: 0.3

sources: BID: 629 // CNNVD: CNNVD-199603-002 // NVD: CVE-1999-0067

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-1999-0067
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#20276
value:	60.48
Trust: 0.8
CNNVD:	CNNVD-199603-002
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-1999-0067
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-1999-0067
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1

sources: CERT/CC: VU#20276 // VULMON: CVE-1999-0067 // CNNVD: CNNVD-199603-002 // NVD: CVE-1999-0067

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-1999-0067

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-199603-002

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-199603-002

PATCH

title:	stixify-core	url:	https://github.com/signalscorps/stixify-core	Trust: 0.1
title:	obstracts-core	url:	https://github.com/signalscorps/obstracts-core	Trust: 0.1
title:	Common-Vulnerabilities-Exposures	url:	https://github.com/lauravoicu/Common-Vulnerabilities-Exposures	Trust: 0.1
title:	-	url:	https://github.com/lauravoicu/Vulnerabilities	Trust: 0.1

sources: VULMON: CVE-1999-0067

EXTERNAL IDS

db:	BID	id:	629	Trust: 2.0
db:	OSVDB	id:	136	Trust: 1.7
db:	NVD	id:	CVE-1999-0067	Trust: 1.7
db:	CERT/CC	id:	VU#20276	Trust: 0.9
db:	CERT/CC	id:	CA-1996-06	Trust: 0.6
db:	CNNVD	id:	CNNVD-199603-002	Trust: 0.6
db:	VULMON	id:	CVE-1999-0067	Trust: 0.1

sources: CERT/CC: VU#20276 // VULMON: CVE-1999-0067 // BID: 629 // CNNVD: CNNVD-199603-002 // NVD: CVE-1999-0067

REFERENCES

url:	http://www.cert.org/advisories/ca-1996-06.html	Trust: 1.7
url:	http://www.securityfocus.com/bid/629	Trust: 1.7
url:	http://www.osvdb.org/136	Trust: 1.7
url:	http://www.ers.ibm.com/tech-info/advisories/sva/1996/ers-sva-e01-1996:002.1.txt	Trust: 0.8
url:	http://www.ers.ibm.com/tech-info/advisories/sva/1996/ers-sva-e01-1996:002.2.txt	Trust: 0.8
url:	ftp://ftp.auscert.org.au/pub/auscert/advisory/aa-96.01.vulnerability.in.ncsa.apache.cgi.example.cod	Trust: 0.8
url:	ftp://info.cert.org/pub/cert_advisories/ca-96.06.cgi_example_code	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://github.com/signalscorps/stixify-core	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.kb.cert.org/vuls/id/20276	Trust: 0.1

sources: CERT/CC: VU#20276 // VULMON: CVE-1999-0067 // CNNVD: CNNVD-199603-002 // NVD: CVE-1999-0067

CREDITS

This bug was first made public by the IBM ERS Team. However, the bug was reported to them by Jennifer Myers early in 1996. Previous to that the exploit had been in wide distribution circles among hackers. The actual release date of the IBM ERS Advisory (E

Trust: 0.6

sources: CNNVD: CNNVD-199603-002

SOURCES

db:	CERT/CC	id:	VU#20276
db:	VULMON	id:	CVE-1999-0067
db:	BID	id:	629
db:	CNNVD	id:	CNNVD-199603-002
db:	NVD	id:	CVE-1999-0067

LAST UPDATE DATE

2024-08-14T14:16:26.937000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#20276	date:	2006-04-17T00:00:00
db:	VULMON	id:	CVE-1999-0067	date:	2008-09-09T00:00:00
db:	BID	id:	629	date:	1996-03-20T00:00:00
db:	CNNVD	id:	CNNVD-199603-002	date:	2007-02-08T00:00:00
db:	NVD	id:	CVE-1999-0067	date:	2024-01-26T20:00:52.747

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#20276	date:	2001-01-28T00:00:00
db:	VULMON	id:	CVE-1999-0067	date:	1996-03-20T00:00:00
db:	BID	id:	629	date:	1996-03-20T00:00:00
db:	CNNVD	id:	CNNVD-199603-002	date:	1996-03-20T00:00:00
db:	NVD	id:	CVE-1999-0067	date:	1996-03-20T05:00:00