[28308] in bugtraq
Re: 'printenv' XSS vulnerability
daemon@ATHENA.MIT.EDU (Marc Slemko)
Mon Dec 23 16:09:53 2002
Date: Mon, 23 Dec 2002 08:43:13 -0800 (PST)
From: Marc Slemko <marcs@znep.com>
To: "Dr.Tek" <tek@superw00t.com>
In-Reply-To: <20021222214958.3166.qmail@mail.securityfocus.com>
Message-ID: <Pine.NEB.4.51.0212230839180.8201@rhombus.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Sun, 22 Dec 2002, Dr.Tek wrote:
> 'printenv' is a test CGI script that tends to come default with most
> Apache installation. Usually located in the "/cgi-bin/" directory.
>
>
> An XSS vulnerbility exist which will allow anyone to input specially
> crafted links and/or other malicious/obscene scripts.
>
>
> Example exploitation:
>
> http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this
> error, Click here!</a>
That does not post any cross site scripting risk when using standards
compliant browsers and a moderately recent version of the script.
It does not output HTML, but rather text/plain. The only reason
that may be rendered as HTML for you is if your browser is broken
and ignores the text/plain MIME type. IE is known to be broken in
this way, and yes it is a security hole in IE. Microsoft has
decreed, in their infinite wisdom, that text/plain can never be
used safely with IE with arbitrary input since there is no way to
encode characters since... it is plain text.
>
>
> Fix:
>
> Since 'printenv' is just an example CGI script that has no real use and
> has its own problems. Just remove it.
Agreed, if you don't need it then don't use it. It isn't installed as
a runnable script by default for a variety of reasons, including this one.
