VULHUB ™

Printenv and test_cgi are default scripts that ship with Apache webserver. Apache releases prior to 1.3.12 ship with versions of these scripts that do not properly escape HTML tags. As a result, it may be possible for an attacker to include arbitrary script code in values that will be outputted to webpages by the vulnerable CGI scripts. The vendor addressed this issue by changing the content-type sent by these scripts to a MIME type of text/plain. However, it should be noted that some web browsers, in particular Microsoft Internet Explorer, do not correctly handle this MIME type, causing anything that looks like HTML tags in a webpage to be interpretted as such. The consequence is that it is still possible to cause script code to be executed by some browsers.

Printenv and test_cgi are default scripts that ship with Apache webserver. Apache releases prior to 1.3.12 ship with versions of these scripts that do not properly escape HTML tags. As a result, it may be possible for an attacker to include arbitrary script code in values that will be outputted to webpages by the vulnerable CGI scripts. The vendor addressed this issue by changing the content-type sent by these scripts to a MIME type of text/plain. However, it should be noted that some web browsers, in particular Microsoft Internet Explorer, do not correctly handle this MIME type, causing anything that looks like HTML tags in a webpage to be interpretted as such. The consequence is that it is still possible to cause script code to be executed by some browsers.