Release DateJan 05, 2010 |
Severitycritical |
ImpactSystem Compromise: Remote attackers can gain control of vulnerable systems. |
DescriptionThis indicates an attack attempt against a command-injection vulnerability in Oracle Secure Backup.A vulnerability has been reported in Oracle Secure Backup that may allow an attacker to execute shell commands on a vulnerable system. This is possible because the user input filters fail to properly sanitize the "ora_osb_lcookie", "ora_osb_bgcookie", and "rbtool" parameter values that are passed to "login.php". An attacker may include shell commands by supplying an injection string through the URL and a good string through POST or the COOKIE. |
Affected ProductsOracle Secure Backup 10.2.0.3Oracle Secure Backup 10.2.0.2 Oracle Secure Backup 10.1.0.3 Oracle Secure Backup 10.1.0.2 Oracle Secure Backup 10.1.0.1 |
Recommended ActionsApply the patch available at the following web site:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html. |
Coverage IPS
VCM |
Common Vulnerabilities and Exposures (CVE)CVE-2008-5448 |
Reference/shttp://www.securityfocus.com/bid/33177 (BugTraq) |
