lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4CAF099A.80909@bonsai-sec.com> Date: Fri, 08 Oct 2010 09:07:54 -0300 From: Nahuel Grisolia <nahuel@...sai-sec.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: XSS in Oracle default fcgi-bin/echo Paul, list, On 10/08/2010 12:18 AM, paul.szabo@...ney.edu.au wrote: > Many Oracle web server installations have a fcgi-bin/echo script > left over from default demo (google for inurl:fcgi-bin/echo). That > script seems vulnerable to XSS. (PoC exploit and explanation of > impact withheld now.) > > I asked security@...cle.com and they said that "... this issue has > been resolved in an earlier Critical Patch Update." They said the same to me one year ago. regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists