Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: XSS in Oracle default fcgi-bin/echo
From: psy <root () lordepsylon net>
Date: Fri, 08 Oct 2010 16:16:47 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe with a FD poc they decide to fix it.

Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability
with XSSer (http://xsser.sf.net)

./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy
"http://127.0.0.1:8118"; -s --publish

Results of the botnet attack in real time:

http://identi.ca/xsserbot01
http://twitter.com/xsserbot01

Reported: apróx 3.080 websites vulnerables.

psy.

Paul, list,

On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:
  
Many Oracle web server installations have a  fcgi-bin/echo  script
left over from default demo (google for inurl:fcgi-bin/echo). That
script seems vulnerable to XSS. (PoC exploit and explanation of
impact withheld now.)

I asked security () oracle com and they said that "... this issue has
been resolved in an earlier Critical Patch Update." 
    

They said the same to me one year ago.

regards,
  


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkyvJv0ACgkQdaGdezyqJbO3LwCfRNPR0yp0Bcs2U/zGp0MrZup+
t4QAn0/E91Ly9Ilv/VkODBg7zCuy9rlD
=YzKR
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault