Vulnerabilities > CVE-2009-1978 - Unspecified vulnerability in Oracle Secure Backup 10.2.0.3

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

oracle

metasploit

NVD

Published: 2009-07-14

Updated: 2024-11-21

Summary

Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the July 2009 Oracle CPU. Oracle has not commented on claims from an independent researcher that this vulnerability allows remote authenticated users to execute arbitrary code with SYSTEM privileges via vectors involving property_box.php.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Secure Backup 10.2.0.3	1

D2sec

name	Oracle Secure Backup 10.3.0.1 RCE
url	http://www.d2sec.com/exploits/oracle_secure_backup_10.3.0.1_rce.html

Metasploit

description	This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
id	MSF:AUXILIARY/ADMIN/ORACLE/OSB_EXECQR2
last seen	2019-12-13
modified	2017-07-24
published	2009-09-16
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1977 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1978
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/oracle/osb_execqr2.rb
title	Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability

Packetstorm

data source	https://packetstormsecurity.com/files/download/81262/osbs-bypass.txt
id	PACKETSTORM:81262
last seen	2016-12-05
published	2009-09-15
reporter	Luca Carettoni
source	https://packetstormsecurity.com/files/81262/Oracle-Secure-Backup-Server-Bypass-Command-Injection.html
title	Oracle Secure Backup Server Bypass / Command Injection

Saint

bid	35678
description	Oracle Secure Backup property_box.php type parameter command execution
id	database_oracle_backupver
osvdb	55904
title	oracle_secure_backup_property_box_type
type	remote

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:12329
last seen	2017-11-19
modified	2009-09-16
published	2009-09-16
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-12329
title	Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit

Summary

Vulnerable Configurations

D2sec

Metasploit

Packetstorm

Saint

Seebug

References