Update Protection against Oracle Secure Backup Administration property_box.php Command Injection Vulnerability
| Check Point Reference: | CPAI-2010-257 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Oracle Critical Patch Update Advisory - July 2010 | |
| Industry Reference(s): | CVE-2010-0899 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Oracle Secure Backup 10.3.0.1 and prior | ||
| Vulnerability Description A command injection vulnerability has been reported in Oracle Secure Backup server. Oracle Secure Backup is a backup solution allowing for single point of management of data present on network attached storage (NAS) devices and distributed hosts. A remote attacker may exploit this issue to execute arbitrary commands on a vulnerable system. |
||
|
Update/Patch Available Apply patches: Oracle Critical Patch Update Advisory - July 2010 |
|
|
Vulnerability Details The vulnerability is due to improper filtering of user supplied $other variable value to the property_box.php script used in the Administration server. A remote attacker can exploit this flaw by sending a specially crafted HTTP request to the target server. Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary commands under the credentials of the SYSTEM account. |
Protection Overview
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection taband select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.