You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/02/16 16:42:41 UTC

DO NOT REPLY [Bug 17107] - Should change sample printenv.pl in cgi-bin directory

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17107>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17107

Should change sample printenv.pl in cgi-bin directory





------- Additional Comments From slive@apache.org  2003-02-16 15:42 -------
This can't really be changed to html because of potential problems with
cross-site-scripting (XSS) that could allow people to steal cookies
and do other nasty things.

Unfortunately, those XSS problems exist on MSIE even with text/plain
because it can be tricked into interpreting the content as text/html.
But at least with text/plain, properly behaved browsers are not vulnerable.

My opinion is that it is too dangerous to be activating printenv.pl in
the default distribution.  It should be removed, or at least deactivated
with a big warning at the top.  Other Apache developers have never seemed
to really share my opinion, however.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org