Bugtraq mailing list archives

Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo

From: paul.szabo () sydney edu au
Date: Tue, 19 Oct 2010 15:43:50 +1100

Dear Riyaz,

The mere mention of fcgi-bin/echo in your first mail is enough for anybody
to derive the PoC. Here's what I found in under a minute:
*/fcgi-bin/echo/<script>aler('xss')</script>*


Sorry, that is a different issue: the one you mention was patched by
Oracle a long time ago. (All the fcgi-bin/echo that I tested, were
already patched against the one you mention, but vulnerable to that
other I found.)

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Current thread:

Re: RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo an (Oct 18)
- Re: RE: [Full-disclosure] XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 19)
- <Possible follow-ups>
- Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 19)