On Sun, 22 Dec 2002, Dr.Tek wrote: > 'printenv' is a test CGI script that tends to come default with most > Apache installation. Usually located in the "/cgi-bin/" directory. > > > An XSS vulnerbility exist which will allow anyone to input specially > crafted links and/or other malicious/obscene scripts. > > > Example exploitation: > > http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this > error, Click here!</a> That does not post any cross site scripting risk when using standards compliant browsers and a moderately recent version of the script. It does not output HTML, but rather text/plain. The only reason that may be rendered as HTML for you is if your browser is broken and ignores the text/plain MIME type. IE is known to be broken in this way, and yes it is a security hole in IE. Microsoft has decreed, in their infinite wisdom, that text/plain can never be used safely with IE with arbitrary input since there is no way to encode characters since... it is plain text. > > > Fix: > > Since 'printenv' is just an example CGI script that has no real use and > has its own problems. Just remove it. Agreed, if you don't need it then don't use it. It isn't installed as a runnable script by default for a variety of reasons, including this one.
