| VID |
22256 |
| Severity |
30 |
| Port |
7777, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Oracle HTTP Server iSQLplus is vulnerable to a Cross-Site Scripting Vulnerability.
This Cross-Site Scripting vulnerability is caused by improper filtering a user-supplied input in the 'action', 'username', and 'password' parameters in the 'iSQLplus' script. A remote attacker can create a specially crafted URL link to the 'iSQLplus' script as the following and then persuade the target user to click the link:
http://[target]/isqlplus?action=logon&username=sdfds%22%3e%3cscript%3ealert('XSS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e
Once this link is clicked, it will cause the arbitrary code to be executed in the target user's web browser within the security context of the hosting site. By exploiting this vulnerability, a remote attacker can steal the target user's cookie-based authentication credentials.
* References:
http://www.securitytracker.com/alerts/2004/Jan/1008838.html
http://archives.neohapsis.com/archives/bugtraq/2004-01/0233.html
* Platforms Affected:
Oracle HTTP Server 8.1.7
Oracle HTTP Server 9.0.1
Oracle HTTP Server 9.2.0 |
| Recommendation |
No patch for this vulnerability as of June 2014. |
| Related URL |
CVE-2004-2115 (CVE) |
| Related URL |
9484 (SecurityFocus) |
| Related URL |
14930 (ISS) |
|
