Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Cross Site Scripting in iSQLPlus logon parameter

Name Cross Site Scripting in iSQLPlus logon parameter
Systems Affected Oracle iSQL*Plus
Severity Low Risk
Category Cross Site Scripting
Vendor URL http://www.oracle.com/
Credit Ravel Ivgi (<theinsider at 012.net.il>)
Exploit http://www.securitytracker.com/alerts/2004/Jan/1008838.html
Date 14 May 2005 (V 1.00)

Details

The logon parameter of the iSQL*plus login mask is vulnerable against Cross Site Scripting.



Example
http://server/isqlplus?action=logon&username=dummy%22%3e%3cscript%3ealert('CSS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('CSS')%3c/script%3e



Patch Information
Apply the latest Oracle patchsets.

2005 by Red-Database-Security GmbH - last update 02-nov-2005

Hardening Oracle Application Server

  • Change Default Password in the Infrastructure Database
  • Protect the TNS Listener
  • Remove Demo Applications / Pages
  • Disable Reports Diagnosis Pages
  • Disable Forms Query/Where
  • Stop unneeded Components