[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
- To: Nahuel Grisolia <nahuel@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
- From: psy <root@xxxxxxxxxxxxxxx>
- Date: Fri, 08 Oct 2010 16:16:47 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Maybe with a FD poc they decide to fix it.
Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability
with XSSer (http://xsser.sf.net)
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy
"http://127.0.0.1:8118"; -s --publish
Results of the botnet attack in real time:
http://identi.ca/xsserbot01
http://twitter.com/xsserbot01
Reported: apróx 3.080 websites vulnerables.
psy.
> Paul, list,
>
> On 10/08/2010 12:18 AM, paul.szabo@xxxxxxxxxxxxx wrote:
>
>> Many Oracle web server installations have a fcgi-bin/echo script
>> left over from default demo (google for inurl:fcgi-bin/echo). That
>> script seems vulnerable to XSS. (PoC exploit and explanation of
>> impact withheld now.)
>>
>> I asked security@xxxxxxxxxx and they said that "... this issue has
>> been resolved in an earlier Critical Patch Update."
>>
>
> They said the same to me one year ago.
>
> regards,
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkyvJv0ACgkQdaGdezyqJbO3LwCfRNPR0yp0Bcs2U/zGp0MrZup+
t4QAn0/E91Ly9Ilv/VkODBg7zCuy9rlD
=YzKR
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/