[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo

To: nahuel@xxxxxxxxxxxxxx, root@xxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
From: paul.szabo@xxxxxxxxxxxxx
Date: Sun, 10 Oct 2010 18:22:24 +1100

psy <root@xxxxxxxxxxxxxxx> wrote:

> ... Results of the botnet attack in real time:
> http://identi.ca/xsserbot01

That shows things like:
.../fcgi-bin/echo/"><script>alert("2982f3d7aa81b3b64c1dbed10ffb953d")</script>
which is NOT the vulnerability I am talking about (as that seems to have
been fixed, long ago).

> Reported: aprox 3.080 websites vulnerables.

Thanks for that info.

Cheers, Paul

Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
  - From: psy

Prev by Date: Re: [Full-disclosure] Filezilla's silent caching of user's credentials
Next by Date: Re: [Full-disclosure] Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval
Previous by thread: Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
Next by thread: Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
Index(es):
- Date
- Thread