[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo

Dear Riyaz,

> The mere mention of fcgi-bin/echo in your first mail is enough for anybody
> to derive the PoC. Here's what I found in under a minute:
> */fcgi-bin/echo/<script>aler('xss')</script>*

Sorry, that is a different issue: the one you mention was patched by
Oracle a long time ago. (All the fcgi-bin/echo that I tested, were
already patched against the one you mention, but vulnerable to that
other I found.)

Cheers, Paul

Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia