Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
saintSAINT CorporationSAINT:3EC462D0BCBAD47192176A936EB0ADCB
HistorySep 29, 2010 - 12:00 a.m.

Oracle Secure Backup Administration property_box.php Other Variable Command Injection

2010-09-2900:00:00
SAINT Corporation
my.saintcorporation.com
12

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS

0.972

Percentile

99.8%

JSON

Added: 09/29/2010
CVE: CVE-2010-0899
BID: 41616
OSVDB: 66333

Background

Oracle Secure Backup is a centralized tape backup management solution for Oracle Database.

Problem

A command injection vulnerability in the Oracle Secure Backup web interface allows remote attackers to execute arbitrary commands specified in the **other** parameter in an HTTP request for **property_box.php**.

Resolution

Apply the patch referenced in the Oracle Critical Patch Update for July 2009.

References

<http://www.zerodayinitiative.com/advisories/ZDI-10-119/&gt;
<http://secunia.com/advisories/40595/&gt;

Limitations

Exploit works on Oracle Secure Backup 10.3.0.1.0.

The target Oracle Secure Backup Administration Server must be configured to listen on the HTTP port. A valid user and password for Oracle Secure Backup Administration Server is also required.

The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').

Platforms

Windows

Related

saint 3
checkpoint_advisories 2
zdi 1
nvd 2
cvelist 2
prion 2
cve 2
securityvulns 2
oracle 1
saint
saint
Oracle Secure Backup Administration property_box.php Other Variable Command Injection
2010-09-29 00:00:00
Oracle Secure Backup Administration property_box.php Other Variable Command Injection
2010-09-29 00:00:00
Oracle Secure Backup Administration property_box.php Other Variable Command Injection
2010-09-29 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle Secure Backup Administration property_box.php Command Injection - Ver2 (CVE-2010-0899)
2015-05-18 00:00:00
Oracle Secure Backup Administration property_box.php Command Injection (CVE-2010-0899)
2010-08-29 00:00:00
zdi
zdi
Oracle Secure Backup Administration $other Variable Command Injection Remote Code Execution Vulnerability
2010-07-13 00:00:00
nvd
nvd
CVE-2010-0899
2010-07-13 22:30:01
CVE-2010-0907
2010-07-13 22:30:02
cvelist
cvelist
CVE-2010-0899
2010-07-13 22:07:00
CVE-2010-0907
2010-07-13 22:07:00
prion
prion
Design/Logic Flaw
2010-07-13 22:30:00
Design/Logic Flaw
2010-07-13 22:30:00
cve
cve
CVE-2010-0899
2010-07-13 22:30:01
CVE-2010-0907
2010-07-13 22:30:02
securityvulns
securityvulns
Oracle / Sun applications multiple security vulneraebilities
2010-07-20 00:00:00
Oracle Critical Patch Update Advisory - July 2010
2010-07-15 00:00:00
oracle
oracle
Security | Oracle Critical Patch Update - July 2010
2010-07-13 00:00:00

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS

0.972

Percentile

99.8%

JSON
Related for SAINT:3EC462D0BCBAD47192176A936EB0ADCB
saint3checkpoint_advisories2zdi1nvd2cvelist2prion2cve2securityvulns2oracle1