Oracle Application Server Fastcgi Echo Vulnerability Reports
A potential and unconfirmed cross-site scripting (XSS) vulnerability in the Oracle Application Server has been reported on the Full Disclosure mailing list. The vulnerability is in the FastCGI module delivered with the Apache httpd server that is incorporated into the Oracle Application Server. Integrigy has not confirmed the vulnerability as the author has not released details but the author claims this XSS vulnerability is different than those previously fixed in the fcgi-bin echo programs.
Regardless if a vulnerability does or does not exist, the FastCGI echo programs (echo and echo2) should be always removed or disabled in all Oracle Application Servers implementations as they can provide information at an attacker. To verify if the echo program is installed try http://<host>:<port>/fcgi-bin/echo.
In Oracle's Best Practices for Securing the Oracle E-Business Suite (Metalink Notes 189367.1 page 17 and 403537.1 page 16), there is a recommendation to either remove the reference to fcgi-bin or disable fastcgi. With AutoConfig, the following lines can be inserted into the custom_apache.conf file.
Deny from all
Oracle E-Business Suite 11i (11.5.10)
For 11.5.10.x with a recent version of the AutoConfig templates installed (TXK AutoConfig Templates Rollup Patch I or greater), there is no issue as there is a typo in the AutoConfig templates in which the fcgi-bin directory is set to $IAS_TOP/Apache/fcgi-bin rather than $IAS_TOP/Apache/Apache/fcgi-bin.
Oracle E-Business Suite R12 (12.0)
The echo program in 12.0.x is enabled with no restrictions, although in the environments we test echo and echo2 always returned server errors when executing. We recommend all 12.0 implementations add the above restriction to echo and echo in the custom.conf file.
Oracle E-Business Suite R12 (12.1)
The AutoConfig templates for 12.1 (apps.conf) do include a specific restriction on access to fcgi-bin/echo and fcgi-bin/echo2 in the apps.conf file and the FastCGI module is not loaded (httpd.conf).