Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Cross Site Scripting in iSQLPlus action parameter

Name Cross Site Scripting in iSQLPlus action parameter

Systems Affected Oracle iSQL*Plus

Severity Low Risk

Category Cross Site Scripting

Vendor URL http://www.oracle.com/

Credit Ravel Ivgi (<theinsider at 012.net.il>)

Exploit http://www.securitytracker.com/alerts/2004/Jan/1008838.html

Date 14 May 2005 (V 1.00)

Details

The action parameter of the iSQL*plus login mask is vulnerable against Cross Site Scripting.

Example
http://server/isqlplus?action=<script>alert('CSS')</script>

Patch Information
Apply the latest Oracle patchsets.

ƒD 2005 by Red-Database-Security GmbH - last update 02-nov-2005

Hardening Oracle Application Server

Change Default Password in the Infrastructure Database
Protect the TNS Listener
Remove Demo Applications / Pages
Disable Reports Diagnosis Pages
Disable Forms Query/Where
Stop unneeded Components