Oracle Secure Backup property_box.php type parameter command execution
Added: 09/01/2009CVE: CVE-2009-1978
BID: 35678
OSVDB: 55904
Background
Oracle Secure Backup is a centralized tape backup management solution for Oracle Database.Problem
A command execution vulnerability in the Oracle Secure Backup web interface allows remote attackers to execute arbitrary commands specified in the type parameter in an HTTP request for property_box.php.Resolution
Apply the patch referenced in the Oracle Critical Patch Update for July 2009.References
http://www.securityfocus.com/bid/35678Limitations
Exploit works on Oracle Secure Backup 10.2.0.3.When the target is Windows, this exploit must be able to bind to port 69/UDP in order to succeed.
When exploiting Linux targets, the netcat ("nc") utility must be installed on the target platform.
The IO-Socket-SSL PERL module is required for this exploit to run. This module is available from http://www.cpan.org/modules/by-module/IO/.
Platforms
WindowsLinux
Back to exploit index