BugTraq
Back to list
|
Post reply
'printenv' XSS vulnerability
Dec 22 2002 09:49PM
Dr.Tek (tek superw00t com)
(1 replies)
***** This writing is part of Malloc() Hackers & Malloc() Security *****
http://www.mallochackers.com
http://www.superw00t.com
************************************************************************
Title: 'printenv' XSS vulnerability
~~~~~
Author: Dr.Tek of Malloc()
~~~~~~
Contact: "Dr.Tek" - (tek (at) superw00t (dot) com [email concealed])
~~~~~~~
No modification of the contents of this file should be made
without direct consent of the author or of Malloc() hackers or
Malloc() Security.
************************************************************************
'printenv' is a test CGI script that tends to come default with most
Apache installation. Usually located in the "/cgi-bin/" directory.
An XSS vulnerbility exist which will allow anyone to input specially
crafted links and/or other malicious/obscene scripts.
Example exploitation:
http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this
error, Click here!</a>
Fix:
Since 'printenv' is just an example CGI script that has no real use and
has its own problems. Just remove it.
[ reply ]
Re: 'printenv' XSS vulnerability
Dec 23 2002 04:43PM
Marc Slemko (marcs znep com)
Privacy Statement
Copyright 2010, SecurityFocus
***** This writing is part of Malloc() Hackers & Malloc() Security *****
http://www.mallochackers.com
http://www.superw00t.com
************************************************************************
Title: 'printenv' XSS vulnerability
~~~~~
Author: Dr.Tek of Malloc()
~~~~~~
Contact: "Dr.Tek" - (tek (at) superw00t (dot) com [email concealed])
~~~~~~~
No modification of the contents of this file should be made
without direct consent of the author or of Malloc() hackers or
Malloc() Security.
************************************************************************
'printenv' is a test CGI script that tends to come default with most
Apache installation. Usually located in the "/cgi-bin/" directory.
An XSS vulnerbility exist which will allow anyone to input specially
crafted links and/or other malicious/obscene scripts.
Example exploitation:
http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this
error, Click here!</a>
Fix:
Since 'printenv' is just an example CGI script that has no real use and
has its own problems. Just remove it.
[ reply ]