I realize that that is not directly related to the mailing list, but it could be a useful way of alerting people who deal with intrusion detection. It just happened that a lot of WWW servers run by those people are affected! :) Alex ------STAR OF THE FORWARDED MESSAGE FROM linux-alert----------------- If you are running NCSA's httpd WWW server (or, conceivably, someone else's), have compiled the phf.c application found in the NCSA distribution's cgi-src directory, and have installed it into an area designated for cgi-bin applications, please 'chmod a-x' it immediately. (This applies to *at least* the phf.c application as provided with NCSA httpd versions 1.3 and 1.5a-export; I've not inspected the other distributions yet.) Many sites (I've looked around a bit and have had a hit rate of roughly 50% so far, but maybe I'm just "lucky")--including the top-level WWW servers for some large and/or very high-profile domains--appear to have "blindly" installed all of the cgi-src applications provided with NCSA's httpd. The most notable aspect of this particular cgi-bin vulnerability, at least to me, is not so much the vulnerability itself (it's been seen before) but rather its quite widespread nature. This vulnerability allows a remote client to retrieve any world-readable file from the server system, as well as execute commands and create files on the server with the privileges of the euid of the httpd server process. Depending on the server's (mis)configuration, this could conceivably be used as an avenue through which to replace the httpd server binary itself with a trojan--quite possibly to be run as root during the system's next boot cycle. It can also be used, largely independent of the server system's configuration--and rather easily--to gain remote interactive access to the server with the userid that the httpd server runs under. (I'm sure there are lots of other "nifty" possibilities, but I first found out about this a just few waking hours ago and have so far performed only the most basic proof-of-concept exploits.) More details (full disclosure, etc.) to follow on the linux-security list and on Bugtraq.... --Up. P.S. I'll bet everyone just can't wait for Java! -- Jeff Uphoff - systems/network admin. | juphoff@nrao.edu National Radio Astronomy Observatory | juphoff@bofh.org.uk Charlottesville, VA, USA | jeff.uphoff@linux.org PGP key available at: http://www.cv.nrao.edu/~juphoff/