Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

'printenv' XSS vulnerability

From: Dr.Tek <tek () superw00t com>
Date: 22 Dec 2002 21:49:58 -0000



***** This writing is part of Malloc() Hackers & Malloc() Security *****
                        http://www.mallochackers.com
                        http://www.superw00t.com     
************************************************************************
        
Title: 'printenv' XSS vulnerability
~~~~~
           Author: Dr.Tek of Malloc() 
           ~~~~~~

Contact: "Dr.Tek" - (tek () superw00t com)
~~~~~~~

No modification of the contents of this file should be made
without direct consent of the author or of Malloc() hackers or
Malloc() Security.
************************************************************************


'printenv' is a test CGI script that tends to come default with most
Apache installation. Usually located in the "/cgi-bin/" directory.


An XSS vulnerbility exist which will allow anyone to input specially 
crafted links and/or other malicious/obscene scripts.


Example exploitation:

http://www.w00tw00t.com/cgi-bin/printenv/<a href="bad">If you see this 
error, Click here!</a>


Fix:

Since 'printenv' is just an example CGI script that has no real use and 
has its own problems. Just remove it.
Previous By Date Next
Previous By Thread Next

Current thread: