Full Disclosure mailing list archives
Re: XSS in Oracle default fcgi-bin/echo
From: psy <root () lordepsylon net>
Date: Fri, 08 Oct 2010 16:16:47 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe with a FD poc they decide to fix it. Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer (http://xsser.sf.net) ./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --publish Results of the botnet attack in real time: http://identi.ca/xsserbot01 http://twitter.com/xsserbot01 Reported: apróx 3.080 websites vulnerables. psy.
Paul, list, On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:Many Oracle web server installations have a fcgi-bin/echo script left over from default demo (google for inurl:fcgi-bin/echo). That script seems vulnerable to XSS. (PoC exploit and explanation of impact withheld now.) I asked security () oracle com and they said that "... this issue has been resolved in an earlier Critical Patch Update."They said the same to me one year ago. regards,
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkyvJv0ACgkQdaGdezyqJbO3LwCfRNPR0yp0Bcs2U/zGp0MrZup+ t4QAn0/E91Ly9Ilv/VkODBg7zCuy9rlD =YzKR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 07)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)
- Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 10)
- Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
- <Possible follow-ups>
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Riyaz Walikar (Oct 17)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 18)
- Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)