Full Disclosure mailing list archives
Re: XSS in Oracle default fcgi-bin/echo
From: Nahuel Grisolia <nahuel () bonsai-sec com>
Date: Fri, 08 Oct 2010 09:07:54 -0300
Paul, list, On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:
Many Oracle web server installations have a fcgi-bin/echo script left over from default demo (google for inurl:fcgi-bin/echo). That script seems vulnerable to XSS. (PoC exploit and explanation of impact withheld now.) I asked security () oracle com and they said that "... this issue has been resolved in an earlier Critical Patch Update."
They said the same to me one year ago. regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 07)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)
- Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 10)
- Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
- <Possible follow-ups>
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Riyaz Walikar (Oct 17)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 18)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)