Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: XSS in Oracle default fcgi-bin/echo
From: Riyaz Walikar <riyazwalikar () gmail com>
Date: Sun, 17 Oct 2010 11:50:24 +0530

Hi Paul,

The mere mention of fcgi-bin/echo in your first mail is enough for anybody
to derive the PoC. Here's what I found in under a minute:
*/fcgi-bin/echo/<script>aler('xss')</script>*

Anybody with a days work in Web Application security would be able to figure
this out knowing the vulnerable script.

Just my two cents.

Regards,
Riyaz Walikar

On Thu, Oct 14, 2010 at 3:05 AM, <paul.szabo () sydney edu au> wrote:

Dear Thor,

Amazing how people claim being logical ... sure sign they aren't!

... Irrespective of the method you choose to validate "bona-fide"
recipients of your PoC, you will have no control over what the
recipient chooses to do with it once they have it.  As such, logic
dictates that your PoC be considered "public" the moment you release
it. ...

Does logic dictate that all people are rabid pro-disclosure zealots,
who do not respect copyright, IP rights, nor gentle personal requests
for discretion?

... don't fool yourself into thinking you are somehow being
responsible ...

I do not own an over-inflated ego.

... or simply send the code to Oracle and ask them ...

Sorry to blow your assumption: sent to Oracle, ages ago, first thing.

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault