lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <201103230059.p2N0xBKL022422@bari.maths.usyd.edu.au> Date: Wed, 23 Mar 2011 11:59:11 +1100 From: paul.szabo@...ney.edu.au To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: XSS in Oracle default fcgi-bin/echo Long ago, I wrote about an XSS vulnerability in Oracle fcgi-bin/echo : http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/076794.html http://www.securityfocus.com/archive/1/514181 The issue may now be fixed in the latest versions of Oracle web servers: http://www.integrigy.com/oracle-security-blog/archive/2010/10/10/fastcgi-fcgi-bin-echo So I now release the PoC for this vulnerability: <form action="http://server/fcgi-bin/echo" method=post enctype="multipart/form-data"> <input type=text name=xss size=50 value="<script>alert('XSS')</script>"><br> <input type=submit value="send"> </form> The "traditional" form of a similar vulnerability http://osvdb.org/700 is claimed to have been fixed long ago, maybe in http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html However that never was actually fixed by Oracle, but was fixed by browsers that %-encode the query. Another interesting reference: http://www.thisisahmed.com/tia/ohs/ohshardening.html Cheers, Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists