I ran nessus against my web server and got this:

> Warning found on port https (443/tcp)
>
>       The 'printenv' CGI is installed.
>       printenv normally returns all environment variables.
>
>       This gives an attacker valuable information about the
>       configuration of your web server.
>
>       Solution : Remove it from /cgi-bin.
>
>       Risk factor : Medium

I think we can install the default scripts but they should not
be executable. Any objections if I commit something like this
to www/apache and www/apache6:

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/www/apache/Makefile,v
retrieving revision 1.110
diff -u -r1.110 Makefile
--- Makefile	2002/10/25 09:00:29	1.110
+++ Makefile	2002/11/14 09:05:44
@@ -188,6 +188,7 @@
 		${RM} -f ${PKG_SYSCONFDIR}/$${file}.default;		\
 	done
 	${INSTALL_DATA} ${DISTDIR}/sitedrivenby.gif ${PREFIX}/share/httpd/htdocs
+	${CHMOD} 0 libexec/cgi-bin/printenv libexec/cgi-bin/test-cgi

 .include "../../devel/libmm/buildlink2.mk"
 .include "../../textproc/expat/buildlink2.mk"


Martti

---
Martti Kuparinen <martti.kuparinen@iki.fi>      NetBSD - No media hype
http://www.iki.fi/kuparine/                     http://www.netbsd.org/