mailing list archives
Re: XSS in Oracle default fcgi-bin/echo
From: Nahuel Grisolia <nahuel () bonsai-sec com>
Date: Fri, 08 Oct 2010 09:07:54 -0300
On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:
Many Oracle web server installations have a fcgi-bin/echo script
left over from default demo (google for inurl:fcgi-bin/echo). That
script seems vulnerable to XSS. (PoC exploit and explanation of
impact withheld now.)
I asked security () oracle com and they said that "... this issue has
been resolved in an earlier Critical Patch Update."
They said the same to me one year ago.
Nahuel Grisolia - C|EH
Information Security Consultant
Bonsai Information Security Project Leader
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/