AOH :: Oracle :: TB10023.HTM

Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy

Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy
Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy


Hi,

Access to http://somesite/servlet/Spy should be restricted. But 
generally database or system administrators ignore the hardening of
Oracle apllications or database. I have noticed XSS bug in Dynamic
Monitoring services on Oracle-Application-Server-10g/10.1.2.0.0.

http://somesite/servlet/Spy?format=metrictable&cache=false&interval=6400000&table=%3Cscript%3Ealert('inTellectPRO')%3C/script%3E&orderby=Name 

d3nx

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.