'printenv' XSS vulnerability

From: Dr.Tek (tekat_private)
Date: Sun Dec 22 2002 - 13:49:58 PST

Next message: Martin Schulze: "[SECURITY] [DSA 215-1] New cyrus-imapd packages fix remote command execution"

Previous message: security: "zkfingerd remote exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ***** This writing is part of Malloc() Hackers & Malloc() Security ***** http://www.mallochackers.com http://www.superw00t.com ************************************************************************ Title: 'printenv' XSS vulnerability ~~~~~ Author: Dr.Tek of Malloc() ~~~~~~ Contact: "Dr.Tek" - (tekat_private) ~~~~~~~ No modification of the contents of this file should be made without direct consent of the author or of Malloc() hackers or Malloc() Security. ************************************************************************ 'printenv' is a test CGI script that tends to come default with most Apache installation. Usually located in the "/cgi-bin/" directory. An XSS vulnerbility exist which will allow anyone to input specially crafted links and/or other malicious/obscene scripts. Example exploitation: http://www.w00tw00t.com/cgi-bin/printenv/ href="bad">If you see this error, Click here!</a> Fix: Since 'printenv' is just an example CGI script that has no real use and has its own problems. Just remove it.

Next message: Martin Schulze: "[SECURITY] [DSA 215-1] New cyrus-imapd packages fix remote command execution"
Previous message: security: "zkfingerd remote exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:25:18 PST