Dear Riyaz,
> The mere mention of fcgi-bin/echo in your first mail is enough for anybody
> to derive the PoC. Here's what I found in under a minute:
> */fcgi-bin/echo/<script>aler('xss')</script>*
Sorry, that is a different issue: the one you mention was patched by
Oracle a long time ago. (All the fcgi-bin/echo that I tested, were
already patched against the one you mention, but vulnerable to that
other I found.)
Cheers, Paul
Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
