| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4CAF27CF.3090509@lordepsylon.net> Date: Fri, 08 Oct 2010 16:16:47 +0200 From: psy <root@...depsylon.net> To: Nahuel Grisolia <nahuel@...sai-sec.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: XSS in Oracle default fcgi-bin/echo -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe with a FD poc they decide to fix it. Detecting, exploiting and reporting "fcgi-bin/echo" Oracle vulnerability with XSSer (http://xsser.sf.net) ./XSSer -d "'inurl:fcgi-bin/echo'" --De "google" --proxy "http://127.0.0.1:8118" -s --publish Results of the botnet attack in real time: http://identi.ca/xsserbot01 http://twitter.com/xsserbot01 Reported: apróx 3.080 websites vulnerables. psy. > Paul, list, > > On 10/08/2010 12:18 AM, paul.szabo@...ney.edu.au wrote: > >> Many Oracle web server installations have a fcgi-bin/echo script >> left over from default demo (google for inurl:fcgi-bin/echo). That >> script seems vulnerable to XSS. (PoC exploit and explanation of >> impact withheld now.) >> >> I asked security@...cle.com and they said that "... this issue has >> been resolved in an earlier Critical Patch Update." >> > > They said the same to me one year ago. > > regards, > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkyvJv0ACgkQdaGdezyqJbO3LwCfRNPR0yp0Bcs2U/zGp0MrZup+ t4QAn0/E91Ly9Ilv/VkODBg7zCuy9rlD =YzKR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists