AIxBlock-2023 · Takiass · Jul 9, 2025
diff --git a/.security b/.security
@@ -0,0 +1,51 @@
+# Vulnerability Disclosure: Publicly Accessible CGI Script & TLS Misconfiguration
+
+## Affected Subdomain
+`https://tb.aixblock.io/cgi-bin/printenv.pl`
+
+---
+
+## Description
+
+A publicly accessible CGI script (`printenv.pl`) was discovered on the `tb.aixblock.io` subdomain. This script reveals server-side environment variables, including internal configuration paths, installed software, and system information.
+
+Additionally, the TLS certificate for the domain is misconfigured. The certificate does not list `tb.aixblock.io` in the SAN field, which causes SSL verification errors for clients accessing it over HTTPS.
+
+---
+
+## Impact
+
+- Reveals environment variables like `PATH`, `COMSPEC`, and `DOCUMENT_ROOT`
+- Full internal paths (e.g., `E:/xampp/htdocs`) are exposed
+- Reveals server stack: Apache/2.4.58, OpenSSL/3.1.3, PHP/8.0.30, XAMPP, Windows
+- Assists in reconnaissance for attackers (potential LFI, RCE vectors)
+- TLS misconfiguration weakens trust, increases MitM risk
+
+---
+
+## Evidence
+
+### Endpoint Output:
+COMSPEC="C:\Windows\system32\cmd.exe"
+DOCUMENT_ROOT="E:/xampp/htdocs"
+SERVER_SOFTWARE="Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30"
+REMOTE_ADDR="..."
+PATH="C:\Program Files\Python38;..."
+
+### TLS Verification Failure:
+curl https://tb.aixblock.io/cgi-bin/printenv.pl
+=> curl: (60) SSL: no alternative certificate subject name matches target hostname 'tb.aixblock.io'
+
+
+---
+
+## Recommendations
+
+- Remove or restrict access to `/cgi-bin/printenv.pl`
+- Disable CGI execution in Apache if unnecessary
+- Reissue TLS certificate with correct SAN including `tb.aixblock.io`
+- Avoid exposing development stacks to the public
+
+---
+
+_Discovered and responsibly disclosed by Md. Safiul Islam (https://github.com/Takiass)_