71 Oracle 9iAS iSQLplus cross site scripting HTTP 2004/03/22 Marc Ruef marc dot ruef at computec dot ch http://www.computec.ch computec.ch Marc Ruef marc dot ruef at computec dot ch http://www.computec.ch computec.ch 2004/11/14 2.0 Corrected the plugin structure and added the accuracy values in 1.2. Improved the pattern matching and introduced the plugin changelog in 2.0 tcp 80 open|send /isqlplus?action=logon&username=joe%22&password=test\n\n|sleep|close|pattern_exists HTTP/#.# ### ** 99 Check is copied from the Nessus plugin. http://www.securitytracker.com/alerts/2004/Jan/1008838.html Oracle 9iAS Cross Site Scripting The login-page of Oracle9i iSQLplus allows the injection of HTML and Javascript code via the username and password parameters. No solution known yet. 1 hour Yes Yes Yes Medium 7 8 7 7 Medium Nessus is able to do the same check. 12112 Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427 http://www.computec.ch