Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: XSS in Oracle default fcgi-bin/echo
From: Nahuel Grisolia <nahuel () bonsai-sec com>
Date: Fri, 08 Oct 2010 09:07:54 -0300

Paul, list,

On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:
Many Oracle web server installations have a  fcgi-bin/echo  script
left over from default demo (google for inurl:fcgi-bin/echo). That
script seems vulnerable to XSS. (PoC exploit and explanation of
impact withheld now.)

I asked security () oracle com and they said that "... this issue has
been resolved in an earlier Critical Patch Update." 

They said the same to me one year ago.

Nahuel Grisolia - C|EH
Information Security Consultant
Bonsai Information Security Project Leader
(+54-11) 4777-3107

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]