CVE-2000-1205

Name of the Vulnerable Software and Affected Versions Apache versions 1.3.0 through 1.3.11

Description The issue allows remote attackers to execute scripts as other web site visitors. This can occur via the printenv CGI, which does not encode its output, pages generated by the ap send error response function, or various messages generated by Apache modules or core code. Attackers can embed malicious HTML tags in client web requests if the server or script handling the request does not carefully encode all information displayed to the user. This could allow attackers to obtain copies of private cookies used to authenticate users to other sites.

Recommendations For Apache versions 1.3.0 through 1.3.11, consider disabling the printenv CGI or ensuring that its output is properly encoded to prevent cross-site scripting attacks. Additionally, restrict access to default error pages generated by the ap send error response function and ensure that all information displayed to users is carefully encoded. As a temporary workaround, consider restricting the use of certain Apache modules or core code that generate vulnerable messages until a patch is available.