Summary: | net-www/apache | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Daniel Ahlberg (RETIRED) <aliz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | critical | ||
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Daniel Ahlberg (RETIRED)
2002-12-27 10:47:20 UTC
Re: 'printenv' XSS vulnerability From: Marc Slemko <marcs@znep.com> To: "Dr.Tek" <tek@superw00t.com> Date: Monday 17.43.13 On Sun, 22 Dec 2002, Dr.Tek wrote: > 'printenv' is a test CGI script that tends to come default with most > Apache installation. Usually located in the "/cgi-bin/" directory. > > > An XSS vulnerbility exist which will allow anyone to input specially > crafted links and/or other malicious/obscene scripts. > > > Example exploitation: > > http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this > error, Click here!</a> That does not post any cross site scripting risk when using standards compliant browsers and a moderately recent version of the script. It does not output HTML, but rather text/plain. The only reason that may be rendered as HTML for you is if your browser is broken and ignores the text/plain MIME type. IE is known to be broken in this way, and yes it is a security hole in IE. Microsoft has decreed, in their infinite wisdom, that text/plain can never be used safely with IE with arbitrary input since there is no way to encode characters since... it is plain text. > > > Fix: > > Since 'printenv' is just an example CGI script that has no real use and > has its own problems. Just remove it. Agreed, if you don't need it then don't use it. It isn't installed as a runnable script by default for a variety of reasons, including this one. |