[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo

To: riyazwalikar@xxxxxxxxx
Subject: Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
From: paul.szabo@xxxxxxxxxxxxx
Date: Tue, 19 Oct 2010 15:43:50 +1100

Dear Riyaz,

> The mere mention of fcgi-bin/echo in your first mail is enough for anybody
> to derive the PoC. Here's what I found in under a minute:
> */fcgi-bin/echo/<script>aler('xss')</script>*

Sorry, that is a different issue: the one you mention was patched by
Oracle a long time ago. (All the fcgi-bin/echo that I tested, were
already patched against the one you mention, but vulnerable to that
other I found.)

Cheers, Paul

Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
  - From: Riyaz Walikar

Prev by Date: Re: [Full-disclosure] Fwd: ipv6 flaw (is bullshit)
Next by Date: [Full-disclosure] SuRe: Fwd: ipv6 flaw (is bullshit
Previous by thread: Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
Next by thread: Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
Index(es):
- Date
- Thread