| VID |
21070 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "phf" CGI is installed.
A vulnerability exists in the phf phone book program included with older NCSA and Apache server packages that allows a remote attacker to execute arbitrary commands on your web server through shell metacharacters. Exploit information for this vulnerability is widespread and many programs exist to actively probe entire networks for this vulnerability. An attacker could use the phone book program to deface the web page. |
| Recommendation |
The phf program is not necessary for normal operation of your web server and should be removed from the cgi-bin directory. |
| Related URL |
CVE-1999-0067 (CVE) |
| Related URL |
629 (SecurityFocus) |
| Related URL |
148 (ISS) |
|
