12796 – net-www/apache

Bug 12796 - net-www/apache

Summary: net-www/apache

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	x86 Linux

Importance:	Highest critical (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2002-12-27 10:47 UTC by Daniel Ahlberg (RETIRED)
Modified:	2011-10-30 22:41 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Ahlberg (RETIRED) gentoo-dev

2002-12-27 10:47:20 UTC

'printenv' XSS vulnerability 

From:  
"Dr.Tek" <tek@superw00t.com> 

To:  
bugtraq@securityfocus.com 

Date:  
Sunday 22.49.58 

***** This writing is part of Malloc() Hackers & Malloc() Security ***** 
                        http://www.mallochackers.com 
                        http://www.superw00t.com      
************************************************************************ 

Title: 'printenv' XSS vulnerability 
~~~~~ 
           Author: Dr.Tek of Malloc()  
           ~~~~~~ 

Contact: "Dr.Tek" - (tek@superw00t.com) 
~~~~~~~ 

No modification of the contents of this file should be made 
without direct consent of the author or of Malloc() hackers or 
Malloc() Security. 
************************************************************************ 

'printenv' is a test CGI script that tends to come default with most 
Apache installation. Usually located in the "/cgi-bin/" directory. 

An XSS vulnerbility exist which will allow anyone to input specially  
crafted links and/or other malicious/obscene scripts. 

Example exploitation: 

http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this  
error, Click here!</a> 

Fix: 

Since 'printenv' is just an example CGI script that has no real use and  
has its own problems. Just remove it.

Comment 1 Daniel Ahlberg (RETIRED) gentoo-dev

2002-12-27 10:50:44 UTC

Re: 'printenv' XSS vulnerability 

From:  
Marc Slemko <marcs@znep.com> 

To:  
"Dr.Tek" <tek@superw00t.com> 

Date:  
Monday 17.43.13 

On Sun, 22 Dec 2002, Dr.Tek wrote: 

> 'printenv' is a test CGI script that tends to come default with most 
> Apache installation. Usually located in the "/cgi-bin/" directory. 
> 
> 
> An XSS vulnerbility exist which will allow anyone to input specially 
> crafted links and/or other malicious/obscene scripts. 
> 
> 
> Example exploitation: 
> 
> http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this 
> error, Click here!</a> 

That does not post any cross site scripting risk when using standards 
compliant browsers and a moderately recent version of the script. 

It does not output HTML, but rather text/plain.  The only reason 
that may be rendered as HTML for you is if your browser is broken 
and ignores the text/plain MIME type.  IE is known to be broken in 
this way, and yes it is a security hole in IE.  Microsoft has 
decreed, in their infinite wisdom, that text/plain can never be 
used safely with IE with arbitrary input since there is no way to 
encode characters since...  it is plain text. 

> 
> 
> Fix: 
> 
> Since 'printenv' is just an example CGI script that has no real use and 
> has its own problems. Just remove it. 

Agreed, if you don't need it then don't use it.  It isn't installed as 
a runnable script by default for a variety of reasons, including this one.