Signature Detail

Short Name	APP:ORACLE:SBAS-CMD-INJ
Severity	High
Recommended	Yes
Recommended Action	Drop
Category	APP
Keywords	Oracle Secure Backup Administration Server Command Injection SBAS 10.2.0.3 property_box
Release Date	2009/11/19
Update Number	1551
Supported Platforms	idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+

APP: Oracle Secure Backup Administration Server Command Injection

This signature detects attempts to exploit a known vulnerability against Oracle Secure Backup 10.2.0.3 and prior. A successful attack can lead to arbitrary code execution.

Extended Description

Oracle Secure Backup is prone to a remote arbitrary command-execution vulnerability that can be exploited over the 'HTTP' protocol. An authenticated attacker with 'Valid Session' privileges can exploit this issue. The attacker can leverage this issue to execute arbitrary commands with Oracle SYSTEM account privileges.

Affected Products

Oracle Secure Backup 10.1.0.1
Oracle Secure Backup 10.1.0.2
Oracle Secure Backup 10.1.0.3
Oracle Secure Backup 10.2.0.2
Oracle Secure Backup 10.3.0.1.0

References

BugTraq: 35678
CVE: CVE-2009-1978
URL: http://secunia.com/advisories/35776
URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

APP: Oracle Secure Backup Administration Server Command Injection

Extended Description

Affected Products

References