Full Disclosure mailing list archives

Re: XSS in Oracle default fcgi-bin/echo

From: paul.szabo () sydney edu au
Date: Tue, 19 Oct 2010 15:43:50 +1100

Dear Riyaz,

The mere mention of fcgi-bin/echo in your first mail is enough for anybody
to derive the PoC. Here's what I found in under a minute:
*/fcgi-bin/echo/<script>aler('xss')</script>*


Sorry, that is a different issue: the one you mention was patched by
Oracle a long time ago. (All the fcgi-bin/echo that I tested, were
already patched against the one you mention, but vulnerable to that
other I found.)

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: XSS in Oracle default fcgi-bin/echo, (continued)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)
  - Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 10)
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
  - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Riyaz Walikar (Oct 17)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 18)
  - Re: XSS in Oracle default fcgi-bin/echo sumit kumar soni (Oct 14)