Re: 'printenv' XSS vulnerability

[Marc Slemko <marcs () znep com>]

On Sun, 22 Dec 2002, Dr.Tek wrote:

> 'printenv' is a test CGI script that tends to come default with most
> Apache installation. Usually located in the "/cgi-bin/" directory.
>
>
> An XSS vulnerbility exist which will allow anyone to input specially
> crafted links and/or other malicious/obscene scripts.
>
>
> Example exploitation:
>
> http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this
> error, Click here!</a>

That does not post any cross site scripting risk when using standards
compliant browsers and a moderately recent version of the script.

It does not output HTML, but rather text/plain.  The only reason
that may be rendered as HTML for you is if your browser is broken
and ignores the text/plain MIME type.  IE is known to be broken in
this way, and yes it is a security hole in IE.  Microsoft has
decreed, in their infinite wisdom, that text/plain can never be
used safely with IE with arbitrary input since there is no way to
encode characters since...  it is plain text.

> Fix:
>
> Since 'printenv' is just an example CGI script that has no real use and
> has its own problems. Just remove it.

Agreed, if you don't need it then don't use it.  It isn't installed as
a runnable script by default for a variety of reasons, including this one.