Re: 'printenv' XSS vulnerability
From: Marc Slemko (marcs@znep.com)
Date: 12/23/02
- Previous message: Andrew Daviel: "junkbuster 2.0-1 proxy relaying spam"
- In reply to: Dr.Tek: "'printenv' XSS vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Dec 2002 08:43:13 -0800 (PST) From: Marc Slemko <marcs@znep.com> To: "Dr.Tek" <tek@superw00t.com>
On Sun, 22 Dec 2002, Dr.Tek wrote:
> 'printenv' is a test CGI script that tends to come default with most
> Apache installation. Usually located in the "/cgi-bin/" directory.
>
>
> An XSS vulnerbility exist which will allow anyone to input specially
> crafted links and/or other malicious/obscene scripts.
>
>
> Example exploitation:
>
> http://www.w00tw00t.com/cgi-bin/printenv/
> error, Click here!</a>
That does not post any cross site scripting risk when using standards
compliant browsers and a moderately recent version of the script.
It does not output HTML, but rather text/plain. The only reason
that may be rendered as HTML for you is if your browser is broken
and ignores the text/plain MIME type. IE is known to be broken in
this way, and yes it is a security hole in IE. Microsoft has
decreed, in their infinite wisdom, that text/plain can never be
used safely with IE with arbitrary input since there is no way to
encode characters since... it is plain text.
>
>
> Fix:
>
> Since 'printenv' is just an example CGI script that has no real use and
> has its own problems. Just remove it.
Agreed, if you don't need it then don't use it. It isn't installed as
a runnable script by default for a variety of reasons, including this one.
- Next message: Stephan Sachweh: "Antwort: Openwebmail 1.71 remote root compromise"
- Previous message: Andrew Daviel: "junkbuster 2.0-1 proxy relaying spam"
- In reply to: Dr.Tek: "'printenv' XSS vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
