Bug Report: Information Disclosure via Exposed CGI Script on tb.aixblock.io + TLS Misconfiguration

[Takiass]

Vulnerability Description

A publicly accessible CGI script (printenv.pl) was discovered on the subdomain tb.aixblock.io. This script discloses server-side environment variables including internal configuration paths, software stack details, and other potentially sensitive system information.

Additionally, the server’s TLS certificate is misconfigured and does not match the domain name (tb.aixblock.io), causing SSL verification failures for HTTPS clients.

---

Impact Assessment

• Discloses full internal paths (e.g., E:/xampp/...) and environment variables
• Identifies server software: Apache/2.4.58, OpenSSL/3.1.3, PHP/8.0.30, XAMPP on Windows
• Assists attacker reconnaissance and potentially enables further exploitation (e.g., LFI, RCE, misconfigured tools)
• TLS certificate mismatch weakens trust and allows for potential MitM attacks

---

Evidence

Vulnerable Endpoint:

https://tb.aixblock.io/cgi-bin/printenv.pl

Sample Output (truncated):

COMSPEC="C:\Windows\system32\cmd.exe"
DOCUMENT_ROOT="E:/xampp/htdocs"
SERVER_SOFTWARE="Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30"
PATH="C:\Program Files\Python38\;..."
REMOTE_ADDR="Client IP"
...

TLS Error (using curl):

curl: (60) SSL: no alternative certificate subject name matches target hostname 'tb.aixblock.io'

---

Recommendations

• Remove or restrict access to /cgi-bin/printenv.pl
• Disable CGI execution in Apache if unnecessary
• Reissue the TLS certificate to include tb.aixblock.io in the SAN field
• Avoid hosting development configurations on publicly accessible servers

---

Submitted in accordance with the AIxBlock Bug Bounty Reporting Process.

[tqphu27]

We acknowledge receipt of your submission. Thank you — we will respond within 7 days.
Please make sure you star the repository, fork it, and submit a valid Pull Request — submissions that don’t meet these requirements may be considered invalid.

[tqphu27]

Thank you for your submission.

We are closing and rejecting this report because it does not meet the required criteria for consideration. Specifically, you have not followed our mandatory disclosure process, which includes submitting a pull request to our public repository demonstrating the issue or proposed remediation.

Without this step, the report is not eligible for review or reward.

[Takiass]

Hello,

Thank you for your response.
I have now submitted a pull request to your public repository demonstrating the issue and proposed remediation, as per your mandatory disclosure process.
Please find the PR here: #204

Kindly review the submission at your convenience. I look forward to your feedback.

Best regards,

[Takiass]

Hi team,

Just following up on this submission. I’ve created and submitted the required pull request as per the disclosure process: #204. Kindly let me know if any further information or clarification is needed from my side.

Looking forward to your review.

Best regards,
Takiass

[Takiass]

Any update???

[tqphu27]

Thank you for your report regarding the exposure of the printenv.pl CGI script on tb.aixblock.io.

After careful assessment, we have concluded that this issue does not qualify for a reward under our current bug bounty program for the following reasons:

Out-of-Scope Target:
The affected endpoint resides on tb.aixblock.io, which is a development/staging subdomain and explicitly categorized under low-value assets in our published bounty scope (*.aixblock.io – Low). Only critical and high-value services such as api.aixblock.io, workflow.aixblock.io, and webhook.aixblock.io are eligible for rewards related to information disclosure.

No Sensitive Production Impact:
The exposed information is limited to a non-production environment, and the disclosed variables do not include authentication credentials, access tokens, or sensitive business data related to live workflows or user accounts.

Low Exploitability Without Chaining:
While the output contains server paths and environment variables, there is no direct security impact or exploit path demonstrated in your report. The potential risks mentioned (e.g., LFI or RCE) are speculative and would require additional vulnerabilities to pose a tangible threat.

As a result, while the report reflects a good understanding of system enumeration and secure configuration principles, it falls short of the reward criteria outlined in our program policy.

We do appreciate your responsible disclosure and encourage further research into vulnerabilities affecting core or production-facing systems. Submissions with demonstrated impact to authentication, authorization, code execution, or sensitive data in high-value domains are prioritized for reward.

Thank you once again for contributing to a more secure ecosystem.