Oracle Endeca Server createDataStore method command execution
Added: 09/04/2013CVE: CVE-2013-3763
BID: 61217
OSVDB: 95269
Background
Oracle Endeca Server is a hybrid search-analytical database.Problem
A vulnerability in the controlSoapBinding service allows remote attackers to execute arbitrary commands by sending a request for the createDataStore method with a specially crafted dataFiles parameter.Resolution
Apply the patch referenced in the July 2013 Critical Patch Update.References
http://www.zerodayinitiative.com/advisories/ZDI-13-190/Limitations
Exploit works on Oracle Endeca Server 7.4.0 on Windows Server 2008 R2 SP1 (DEP OptOut).Platforms
WindowsBack to exploit index