Full Disclosure: Re: XSS in Oracle default fcgi-bin/echo

Re: XSS in Oracle default fcgi-bin/echo

From: paul.szabo () sydney edu au
Date: Sun, 10 Oct 2010 18:22:24 +1100

psy <root () lordepsylon net> wrote:

... Results of the botnet attack in real time:
http://identi.ca/xsserbot01


That shows things like:
.../fcgi-bin/echo/"><script>alert("2982f3d7aa81b3b64c1dbed10ffb953d")</script>
which is NOT the vulnerability I am talking about (as that seems to have
been fixed, long ago).

Reported: aprox 3.080 websites vulnerables.


Thanks for that info.

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 08)
- Re: XSS in Oracle default fcgi-bin/echo Nahuel Grisolia (Oct 08)
  - Re: XSS in Oracle default fcgi-bin/echo psy (Oct 09)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 10)
- <Possible follow-ups>
- Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
  - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Thor (Hammer of God) (Oct 13)
    - Re: XSS in Oracle default fcgi-bin/echo Riyaz Walikar (Oct 17)
    - Re: XSS in Oracle default fcgi-bin/echo paul . szabo (Oct 19)
  - Re: XSS in Oracle default fcgi-bin/echo sumit kumar soni (Oct 14)