Re: [Full-disclosure] XSS in Oracle default fcgi-bin/echo
Dear Riyaz,
> The mere mention of fcgi-bin/echo in your first mail is enough for anybody
> to derive the PoC. Here's what I found in under a minute:
> */fcgi-bin/echo/<script>aler('xss')</script>*
Sorry, that is a different issue: the one you mention was patched by
Oracle a long time ago. (All the fcgi-bin/echo that I tested, were
already patched against the one you mention, but vulnerable to that
other I found.)
Cheers, Paul
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
討論串 (同標題文章)
完整討論串 (本文為第 2 之 2 篇):