Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 12796 - net-www/apache
Summary: net-www/apache
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 Linux
: Highest critical
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-12-27 10:47 UTC by Daniel Ahlberg (RETIRED)
Modified: 2011-10-30 22:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2002-12-27 10:47:20 UTC 
'printenv' XSS vulnerability 
 
From:  
"Dr.Tek" <tek@superw00t.com> 
 
 
To:  
bugtraq@securityfocus.com 
 
 
Date:  
Sunday 22.49.58 
 
 
***** This writing is part of Malloc() Hackers & Malloc() Security ***** 
                        http://www.mallochackers.com 
                        http://www.superw00t.com      
************************************************************************ 
         
Title: 'printenv' XSS vulnerability 
~~~~~ 
           Author: Dr.Tek of Malloc()  
           ~~~~~~ 
 
Contact: "Dr.Tek" - (tek@superw00t.com) 
~~~~~~~ 
 
No modification of the contents of this file should be made 
without direct consent of the author or of Malloc() hackers or 
Malloc() Security. 
************************************************************************ 
 
 
'printenv' is a test CGI script that tends to come default with most 
Apache installation. Usually located in the "/cgi-bin/" directory. 
 
 
An XSS vulnerbility exist which will allow anyone to input specially  
crafted links and/or other malicious/obscene scripts. 
 
 
Example exploitation: 
 
http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this  
error, Click here!</a> 
 
 
Fix: 
 
Since 'printenv' is just an example CGI script that has no real use and  
has its own problems. Just remove it.
Comment 1 Daniel Ahlberg (RETIRED) gentoo-dev 2002-12-27 10:50:44 UTC 
Re: 'printenv' XSS vulnerability 
 
From:  
Marc Slemko <marcs@znep.com> 
 
 
To:  
"Dr.Tek" <tek@superw00t.com> 
 
 
Date:  
Monday 17.43.13 
 
 
On Sun, 22 Dec 2002, Dr.Tek wrote: 
 
> 'printenv' is a test CGI script that tends to come default with most 
> Apache installation. Usually located in the "/cgi-bin/" directory. 
> 
> 
> An XSS vulnerbility exist which will allow anyone to input specially 
> crafted links and/or other malicious/obscene scripts. 
> 
> 
> Example exploitation: 
> 
> http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this 
> error, Click here!</a> 
 
That does not post any cross site scripting risk when using standards 
compliant browsers and a moderately recent version of the script. 
 
It does not output HTML, but rather text/plain.  The only reason 
that may be rendered as HTML for you is if your browser is broken 
and ignores the text/plain MIME type.  IE is known to be broken in 
this way, and yes it is a security hole in IE.  Microsoft has 
decreed, in their infinite wisdom, that text/plain can never be 
used safely with IE with arbitrary input since there is no way to 
encode characters since...  it is plain text. 
 
> 
> 
> Fix: 
> 
> Since 'printenv' is just an example CGI script that has no real use and 
> has its own problems. Just remove it. 
 
Agreed, if you don't need it then don't use it.  It isn't installed as 
a runnable script by default for a variety of reasons, including this one.