Bugtraq mailing list archives
Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
From: paul.szabo () sydney edu au
Date: Tue, 19 Oct 2010 15:43:50 +1100
Dear Riyaz,
The mere mention of fcgi-bin/echo in your first mail is enough for anybody to derive the PoC. Here's what I found in under a minute: */fcgi-bin/echo/<script>aler('xss')</script>*
Sorry, that is a different issue: the one you mention was patched by Oracle a long time ago. (All the fcgi-bin/echo that I tested, were already patched against the one you mention, but vulnerable to that other I found.) Cheers, Paul Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
Current thread:
- Re: RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo an (Oct 18)
- Re: RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 19)
- <Possible follow-ups>
- Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 19)