Signature Detail
This site is deprecated. Please CLICK HERE for latest updates
Short Name |
HTTP:ORACLE:LOGIN-COOKIES-INJ |
|---|---|
Severity |
Major |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Oracle Secure Backup Administration Server login.php Cookies Command Injection |
Release Date |
2011/07/18 |
Update Number |
1956 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
HTTP: Oracle Secure Backup Administration Server login.php Cookies Command Injection
There exists a command injection vulnerability in Oracle Secure Backup. The vulnerability is due to lack of sanitation of user supplied parameters when processing HTTP requests sent to CGI program login.php. Remote unauthenticated attackers can exploit this vulnerability by sending a crafted HTTP request to the target host. Successful exploitation would allow for arbitrary command execution in the security context of the user running the web server of Oracle Secure Backup. The behaviour of the target is entirely dependent on the intended function of the injected command.
Extended Description
Oracle has released the January 2009 critical patch update. The update addresses 41 vulnerabilities affecting the following software: Oracle Database Oracle Secure Backup Oracle TimesTen In-Memory Database Oracle Application Server Oracle Collaboration Suite Oracle E-Business Suite Release Oracle Enterprise Manager Grid Control PeopleSoft Enterprise HRMS JD Edwards Tools Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle WebLogic Portal (formerly BEA WebLogic Portal)
Affected Products
- Bea_systems weblogic_portal 10.0
- Bea_systems weblogic_portal 10.0 MP1
- Bea_systems weblogic_portal 10.2
- Bea_systems weblogic_portal 10.3
- Bea_systems weblogic_portal 8.1.0
- Bea_systems weblogic_portal 8.1.0 SP1
- Bea_systems weblogic_portal 8.1.0 SP2
- Bea_systems weblogic_portal 8.1.0 SP3
- Bea_systems weblogic_portal 8.1.0 SP4
- Bea_systems weblogic_portal 8.1.0 SP5
- Bea_systems weblogic_portal 8.1.0 SP6
- Bea_systems weblogic_portal 9.2
- Bea_systems weblogic_portal 9.2 MP3
- Bea_systems weblogic_server 10.0
- Bea_systems weblogic_server 10.0 MP1
- Bea_systems weblogic_server 10.3
- Bea_systems weblogic_server 7.0.0
- Bea_systems weblogic_server 7.0.0 .0.1
- Bea_systems weblogic_server 7.0.0 .0.1 SP 1
- Bea_systems weblogic_server 7.0.0 .0.1 SP 2
- Bea_systems weblogic_server 7.0.0 .0.1 SP 3
- Bea_systems weblogic_server 7.0.0 .0.1 SP 4
- Bea_systems weblogic_server 7.0.0 SP 1
- Bea_systems weblogic_server 7.0.0 SP 2
- Bea_systems weblogic_server 7.0.0 SP 3
- Bea_systems weblogic_server 7.0.0 SP 4
- Bea_systems weblogic_server 7.0.0 SP 5
- Bea_systems weblogic_server 7.0.0 SP 6
- Bea_systems weblogic_server 7.0.0 SP 7
- Bea_systems weblogic_server 7.0 SP7
- Bea_systems weblogic_server 8.1
- Bea_systems weblogic_server 8.1.0
- Bea_systems weblogic_server 8.1.0 SP 1
- Bea_systems weblogic_server 8.1.0 SP 2
- Bea_systems weblogic_server 8.1.0 SP 3
- Bea_systems weblogic_server 8.1.0 SP 4
- Bea_systems weblogic_server 8.1.0 SP 5
- Bea_systems weblogic_server 8.1.0 SP 6
- Bea_systems weblogic_server 9.0
- Bea_systems weblogic_server 9.1
- Bea_systems weblogic_server 9.2
- Bea_systems weblogic_server 9.2 Maintenance Pack 3
- Oracle collaboration_suite_release_1 10.1.2
- Oracle e-business_suite_11i 11.5.10.2
- Oracle e-business_suite_12 12.0.6
- Oracle enterprise_manager_grid_control_10g 10.2.0.4
- Oracle oracle10g_application_server 10.1.2 .2.0
- Oracle oracle10g_application_server 10.1.2.3.0
- Oracle oracle10g_application_server 10.1.3 .3.0
- Oracle oracle10g_enterprise_edition 10.1.0 .5
- Oracle oracle10g_enterprise_edition 10.2.0 .2
- Oracle oracle10g_enterprise_edition 10.2.0.2 64 bit
- Oracle oracle10g_enterprise_edition 10.2.0 .3
- Oracle oracle10g_enterprise_edition 10.2.0.4
- Oracle oracle10g_personal_edition 10.1.0.5
- Oracle oracle10g_personal_edition 10.2.0 .2
- Oracle oracle10g_personal_edition 10.2.0 .3
- Oracle oracle10g_personal_edition 10.2.0.4
- Oracle oracle10g_standard_edition 10.1.0 .5
- Oracle oracle10g_standard_edition 10.2.0 .2
- Oracle oracle10g_standard_edition 10.2.0 .3
- Oracle oracle10g_standard_edition 10.2.0.4
- Oracle oracle11g_enterprise_edition 11.1.0 6
- Oracle oracle11g_standard_edition 11.1.0 6
- Oracle oracle11g_standard_edition_one 11.1.0 6
- Oracle oracle9i_enterprise_edition 9.2.0.8.0
- Oracle oracle9i_enterprise_edition 9.2.0 .8DV
- Oracle oracle9i_personal_edition 9.2.0 .8
- Oracle oracle9i_personal_edition 9.2.0 .8DV
- Oracle oracle9i_standard_edition 9.2.0.8
- Oracle oracle9i_standard_edition 9.2.0 .8DV
- Oracle secure_backup 10.1.0.1
- Oracle secure_backup 10.1.0.2
- Oracle secure_backup 10.1.0.3
- Oracle secure_backup 10.2.0.2
- Oracle secure_backup 10.2.0.3
- Oracle timesten_in-memory_database 7.0.5.1.0
- Oracle timesten_in-memory_database 7.0.5.2.0
- Oracle timesten_in-memory_database 7.0.5.3.0
- Oracle timesten_in-memory_database 7.0.5.4.0
References
- BugTraq: 33177
- CVE: CVE-2008-4006