This application requires Javascript for optimal performance.

Oracle.Secure.Backup.EXEC.QR.URI.Command.Injection

Release Date

Jan 05, 2010

Severity

critical

Impact

System Compromise: Remote attackers can gain control of vulnerable systems.

Description

This indicates an attack attempt against a command-injection vulnerability in Oracle Secure Backup.

A vulnerability has been reported in Oracle Secure Backup that may allow an attacker to execute shell commands on a vulnerable system. This is possible because the user input filters fail to properly sanitize the "ora_osb_lcookie", "ora_osb_bgcookie", and "rbtool" parameter values that are passed to "login.php". An attacker may include shell commands by supplying an injection string through the URL and a good string through POST or the COOKIE.

Affected Products

Oracle Secure Backup 10.2.0.3
Oracle Secure Backup 10.2.0.2
Oracle Secure Backup 10.1.0.3
Oracle Secure Backup 10.1.0.2
Oracle Secure Backup 10.1.0.1

Recommended Actions

Apply the patch available at the following web site:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html.

Coverage

IPS
VCM

Common Vulnerabilities and Exposures (CVE)

CVE-2008-5448

Reference/s

http://www.securityfocus.com/bid/33177 (BugTraq)

Reference: VID-18063