[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 'printenv' XSS vulnerability
On Sun, 22 Dec 2002, Dr.Tek wrote:
> 'printenv' is a test CGI script that tends to come default with most
> Apache installation. Usually located in the "/cgi-bin/" directory.
> An XSS vulnerbility exist which will allow anyone to input specially
> crafted links and/or other malicious/obscene scripts.
> Example exploitation:
> http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this
> error, Click here!</a>
That does not post any cross site scripting risk when using standards
compliant browsers and a moderately recent version of the script.
It does not output HTML, but rather text/plain. The only reason
that may be rendered as HTML for you is if your browser is broken
and ignores the text/plain MIME type. IE is known to be broken in
this way, and yes it is a security hole in IE. Microsoft has
decreed, in their infinite wisdom, that text/plain can never be
used safely with IE with arbitrary input since there is no way to
encode characters since... it is plain text.
> Since 'printenv' is just an example CGI script that has no real use and
> has its own problems. Just remove it.
Agreed, if you don't need it then don't use it. It isn't installed as
a runnable script by default for a variety of reasons, including this one.