Oracle Secure Backup Administration Server login.php Arbitrary Command Injection

critical Nessus Plugin ID 35363

Synopsis

The remote web server contains a PHP script that allows execution of arbitrary commands.

Description

The remote version of Oracle Secure Backup Administration Server fails to sanitize user-supplied input to various parameters used in the 'login.php' script before using it.

By sending specially crafted arguments an attacker can exploit it to execute code on the remote host with the web server privileges.

By default the server runs with SYSTEM privileges under Windows.

Solution

Apply patches referenced in the vendor advisory above.

See Also

http://www.nessus.org/u?5ad19c95

Plugin Details

Severity: Critical

ID: 35363

File Name: oracle_secure_backup_cmd.nasl

Version: 1.33

Type: remote

Family: CGI abuses

Published: 1/14/2009

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:oracle:secure_backup

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 1/13/2009

Exploitable With

CANVAS (D2ExploitPack)

Elliot (Oracle Secure Backup 10.2.0.2 RCE (Windows))

Reference Information

CVE: CVE-2008-4006, CVE-2008-5448

BID: 33177