Full Disclosure: Re: XSS in Oracle default fcgi-bin/echo

Re: XSS in Oracle default fcgi-bin/echo

From: Nahuel Grisolia <nahuel () bonsai-sec com>
Date: Fri, 08 Oct 2010 09:07:54 -0300

Paul, list,

On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:

Many Oracle web server installations have a  fcgi-bin/echo  script
left over from default demo (google for inurl:fcgi-bin/echo). That
script seems vulnerable to XSS. (PoC exploit and explanation of
impact withheld now.)

I asked security () oracle com and they said that "... this issue has
been resolved in an earlier Critical Patch Update."


They said the same to me one year ago.

regards,
-- 
Nahuel Grisolia - C|EH
Information Security Consultant
Bonsai Information Security Project Leader
http://www.bonsai-sec.com/
(+54-11) 4777-3107

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 08)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)
  - Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 10)
- <Possible follow-ups>
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
  - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Riyaz Walikar (Oct 17)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 19)

(Thread continues...)