CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
EPSS
Percentile
99.8%
Added: 09/29/2010
CVE: CVE-2010-0899
BID: 41616
OSVDB: 66333
Oracle Secure Backup is a centralized tape backup management solution for Oracle Database.
A command injection vulnerability in the Oracle Secure Backup web interface allows remote attackers to execute arbitrary commands specified in the **other**
parameter in an HTTP request for **property_box.php**
.
Apply the patch referenced in the Oracle Critical Patch Update for July 2009.
<http://www.zerodayinitiative.com/advisories/ZDI-10-119/>
<http://secunia.com/advisories/40595/>
Exploit works on Oracle Secure Backup 10.3.0.1.0.
The target Oracle Secure Backup Administration Server must be configured to listen on the HTTP port. A valid user and password for Oracle Secure Backup Administration Server is also required.
The executable smbclient
must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').
Windows