Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XSS in Oracle default fcgi-bin/echo

From: psy <root () lordepsylon net>
Date: Fri, 08 Oct 2010 16:16:47 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe with a FD poc they decide to fix it.

Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability
with XSSer (http://xsser.sf.net)

./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy
"http://127.0.0.1:8118"; -s --publish

Results of the botnet attack in real time:

http://identi.ca/xsserbot01
http://twitter.com/xsserbot01

Reported: apróx 3.080 websites vulnerables.

psy.


Paul, list,

On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:
  

Many Oracle web server installations have a  fcgi-bin/echo  script
left over from default demo (google for inurl:fcgi-bin/echo). That
script seems vulnerable to XSS. (PoC exploit and explanation of
impact withheld now.)

I asked security () oracle com and they said that "... this issue has
been resolved in an earlier Critical Patch Update." 
    


They said the same to me one year ago.

regards,
  



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkyvJv0ACgkQdaGdezyqJbO3LwCfRNPR0yp0Bcs2U/zGp0MrZup+
t4QAn0/E91Ly9Ilv/VkODBg7zCuy9rlD
=YzKR
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: