ID

VAR-199603-0003


CVE

CVE-1999-0067


TITLE

phf Remote Command Execution Vulnerability

Trust: 0.9

sources: BID: 629 // CNNVD: CNNVD-199603-002

DESCRIPTION

phf CGI program allows remote command execution through shell metacharacters. This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. A vulnerability exists in the sample cgi bin program, phf, which is included with NCSA httpd, and Apache 1.0.3, an NCSA derivitive. By supplying certain characters that have special meaning to the shell, arbitrary commands can be executed by remote users under whatever user the httpd is run as. The phf program, and possibly other programs, call the escape_shell_cmd() function. This subroutine is intended to strip dangerous characters out prior to passing these strings along to shell based library calls, such as popen() or system(). By failing to capture certain characters, however, it becomes possible to execute commands from these calls. Versions below each of the vulnerable webservers are assumed to be vulnerable to exploitation via the phf example code

Trust: 1.98

sources: NVD: CVE-1999-0067 // CERT/CC: VU#20276 // BID: 629 // VULMON: CVE-1999-0067

AFFECTED PRODUCTS

vendor:apachemodel:http serverscope:eqversion:1.0.3

Trust: 1.6

vendor:ncsamodel:httpdscope:eqversion:1.5a

Trust: 1.0

vendor:ncsamodel:httpd a-exportscope:eqversion:1.5

Trust: 0.3

vendor:apachemodel:apachescope:eqversion:1.0.3

Trust: 0.3

sources: BID: 629 // CNNVD: CNNVD-199603-002 // NVD: CVE-1999-0067

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-1999-0067
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#20276
value: 60.48

Trust: 0.8

CNNVD: CNNVD-199603-002
value: CRITICAL

Trust: 0.6

VULMON: CVE-1999-0067
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-1999-0067
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

sources: CERT/CC: VU#20276 // VULMON: CVE-1999-0067 // CNNVD: CNNVD-199603-002 // NVD: CVE-1999-0067

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

sources: NVD: CVE-1999-0067

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-199603-002

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-199603-002

PATCH

title:stixify-coreurl:https://github.com/signalscorps/stixify-core

Trust: 0.1

title:obstracts-coreurl:https://github.com/signalscorps/obstracts-core

Trust: 0.1

title:Common-Vulnerabilities-Exposuresurl:https://github.com/lauravoicu/Common-Vulnerabilities-Exposures

Trust: 0.1

title: - url:https://github.com/lauravoicu/Vulnerabilities

Trust: 0.1

sources: VULMON: CVE-1999-0067

EXTERNAL IDS

db:BIDid:629

Trust: 2.0

db:OSVDBid:136

Trust: 1.7

db:NVDid:CVE-1999-0067

Trust: 1.7

db:CERT/CCid:VU#20276

Trust: 0.9

db:CERT/CCid:CA-1996-06

Trust: 0.6

db:CNNVDid:CNNVD-199603-002

Trust: 0.6

db:VULMONid:CVE-1999-0067

Trust: 0.1

sources: CERT/CC: VU#20276 // VULMON: CVE-1999-0067 // BID: 629 // CNNVD: CNNVD-199603-002 // NVD: CVE-1999-0067

REFERENCES

url:http://www.cert.org/advisories/ca-1996-06.html

Trust: 2.7

url:http://www.securityfocus.com/bid/629

Trust: 2.7

url:http://www.osvdb.org/136

Trust: 2.7

url:http://www.ers.ibm.com/tech-info/advisories/sva/1996/ers-sva-e01-1996:002.1.txt

Trust: 0.8

url:http://www.ers.ibm.com/tech-info/advisories/sva/1996/ers-sva-e01-1996:002.2.txt

Trust: 0.8

url:ftp://ftp.auscert.org.au/pub/auscert/advisory/aa-96.01.vulnerability.in.ncsa.apache.cgi.example.cod

Trust: 0.8

url: ftp://info.cert.org/pub/cert_advisories/ca-96.06.cgi_example_code

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://github.com/signalscorps/stixify-core

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.kb.cert.org/vuls/id/20276

Trust: 0.1

sources: CERT/CC: VU#20276 // VULMON: CVE-1999-0067 // CNNVD: CNNVD-199603-002 // NVD: CVE-1999-0067

CREDITS

This bug was first made public by the IBM ERS Team. However, the bug was reported to them by Jennifer Myers early in 1996. Previous to that the exploit had been in wide distribution circles among hackers. The actual release date of the IBM ERS Advisory (E

Trust: 0.6

sources: CNNVD: CNNVD-199603-002

SOURCES

db:CERT/CCid:VU#20276
db:VULMONid:CVE-1999-0067
db:BIDid:629
db:CNNVDid:CNNVD-199603-002
db:NVDid:CVE-1999-0067

LAST UPDATE DATE

2024-11-22T22:49:02.726000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#20276date:2006-04-17T00:00:00
db:VULMONid:CVE-1999-0067date:2008-09-09T00:00:00
db:BIDid:629date:1996-03-20T00:00:00
db:CNNVDid:CNNVD-199603-002date:2007-02-08T00:00:00
db:NVDid:CVE-1999-0067date:2024-11-20T23:27:45.950

SOURCES RELEASE DATE

db:CERT/CCid:VU#20276date:2001-01-28T00:00:00
db:VULMONid:CVE-1999-0067date:1996-03-20T00:00:00
db:BIDid:629date:1996-03-20T00:00:00
db:CNNVDid:CNNVD-199603-002date:1996-03-20T00:00:00
db:NVDid:CVE-1999-0067date:1996-03-20T05:00:00