How to fix 'phf' CGI security flow on solaris

Hi experts,

I have a solaris 9 machine on my local network.
A Nessus security scan found out that i have the following vulnerability
I would appreciate if you could guide on how to fix this

Vulnerability http (80/tcp) The 'phf' CGI is installed. This CGI has
a well known security flaw that lets an attacker execute arbitrary
commands with the privileges of the http daemon (usually root or nobody).

Solution : remove it from /cgi-bin.

Risk factor : High
CVE : CVE-1999-0067
BID : 629
Nessus ID : 10176  

thanks
cakirfatihAsked:
Who is Participating?
 
yuzhConnect With a Mentor Commented:
Have a look at your httpd.conf file, search for cgi-bin or ScriptAlias to see if you can
located the cgi-bin for your webserver, then have a look at the dir to see if it is there.

in the worst case, you can type in the following command (as root, or su as roo):

find / -type f -name "*phf*"
to check it out.

Your version of apache is very old...., consider update apache ib your server and patch up your system.

please have a look at this doc:
http://www.apacheweek.com/issues/96-09-27

For Solaris Recommended Patch Clusters download:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage

Apache binary package download:
http://sunfreeware.com/

Good luck !
0
 
yuzhCommented:
phf is part of apache!  (see the commemt in the httpd.conf-example file)

To secure it, you can edit the httpd.conf (do a search in the file), and uncomment these lines:
#<Location /server-info>
#    SetHandler server-info
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#</Location>

make them looks like:

<Location /server-info>
    SetHandler server-info
    Order deny,allow
    Deny from all
    Allow from .example.com
</Location>

Then restart apache:
           /etc/rc3.d/S50apache stop
           /etc/rc3.d/S50apache start
0
 
cakirfatihAuthor Commented:
yuzh,

thanks for your respond. i will apply this as soon as i can.
at the mean time, would you tell me if this fix directly adresses the vulnerability found by Nessus scan?
i am asking because the report i was given says to remove it from /cgi-bin.

thanks
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
yuzhCommented:
Sorry I cut and past the wrong code for you, here're the
correct one:

# days.  This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org.  Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#
#<Location /cgi-bin/phf*>
#    Deny from all
#    ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>

make it looks like:

<Location /cgi-bin/phf*>
   Deny from all
   ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
</Location>

You can move the script outside the cgi-bin to stop it
from running.

Good night!

0
 
cakirfatihAuthor Commented:
i don't find the below entry in my http.conf file

# days.  This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org.  Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#
#<Location /cgi-bin/phf*>
#    Deny from all
#    ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>

0
 
cakirfatihAuthor Commented:
can you also explain how i can move the script outside the cgi-bin to stop it
from running

i am not well versed with unix systems

thanks
0
 
cakirfatihAuthor Commented:
this is what it says on my httpd.conf
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

<IfModule mod_cgid.c>

but there is no file regarding phf under the /usr/local/apache2/cgi-bin/ directory.

when i do a searh i get this
bash-2.05# find / -type f -name "*phf*"
/data/alnaji/cgi-bin/phf

and the /data/alnaji/cgi-bin/ directory has a file with name "phf"

is this the one i should remove from my computer?

0
 
cakirfatihAuthor Commented:
i agree that i should update this system,
but i will ask another question for that , and i would love to read your responses on that

i just need to solve this issue, because i am on a deadline with this

thanks
0
 
yuzhConnect With a Mentor Commented:
check you httpd.conf file search for "alnaji" see what you can found!

You can move /data/alnaji/cgi-bin/phf to some where outside the web stuff (eg
to your home dir) restart apache and see what happen.
0
 
cakirfatihAuthor Commented:
hi again,

this is what i have in my httpd.cong regarding alnaji

<VirtualHost *:80>
     ServerAdmin root@tasd.com
     DocumentRoot /data/alnaji/docs/epa
     ServerName ei.asd.com
     ErrorLog logs/ei.asd.com-error_log
     CustomLog logs/ei.asd.com-access_log common
     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
     RewriteRule .* - [F]

     ScriptAlias /cgi-bin/ "/data/alnaji/cgi-bin/"

     <Directory "/data/alnaji/cgi-bin">
         AllowOverride All
         Options +ExecCGI
         Options FollowSymLinks
         Order allow,deny
         Allow from all
     </Directory>

</VirtualHost>

thanks
0
 
yuzhCommented:
You have a virtual host ei.asd.com with cgi-bin witch can run the phf script !

If you are not run virtual host for ei.asd.com, comment them out and then
restart apache.
0
 
cakirfatihAuthor Commented:
i am using that virtual host
i removed that file from the cgi-bin directory and it solved my problem

thanks for the all help
0
All Courses

From novice to tech pro — start learning today.