Дополнительная информация

Межсайтовый скриптинг в Oracle Dynamic Monitoring Services (crossite scripting)

From:	Sea Shark <sead3nx_(at)_gmail.com>
Date:	22 марта 2007 г.
Subject:	Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy

Hi,

Access to http://somesite/servlet/Spy should be restricted. But
generally database or system administrators ignore the hardening of
Oracle apllications or database. I have noticed XSS bug in Dynamic
Monitoring services on Oracle-Application-Server-10g/10.1.2.0.0.

http:
//somesite/servlet/Spy?format=metrictable&cache=false&interval=6400000&
table=%3Cscript%3Ealert('inTellectPRO')%3C/script%
3E&orderby=Name

d3nx