[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy
From: "Sea Shark" <sead3nx@xxxxxxxxx>
Date: Tue, 20 Mar 2007 12:14:20 +0200

Hi,

Access to http://somesite/servlet/Spy should be restricted. But
generally database or system administrators ignore the hardening of
Oracle apllications or database. I have noticed XSS bug in Dynamic
Monitoring services on Oracle-Application-Server-10g/10.1.2.0.0.

http://somesite/servlet/Spy?format=metrictable&cache=false&interval=6400000&table=%3Cscript%3Ealert('inTellectPRO')%3C/script%3E&orderby=Name

d3nx

Prev by Date: ZynOS v3.40 One packet killer
Next by Date: Web Wiz Forums 8.05 (MySQL version) SQL Injection
Previous by thread: ZynOS v3.40 One packet killer
Next by thread: Web Wiz Forums 8.05 (MySQL version) SQL Injection
Index(es):
- Date
- Thread