Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2005-2372

Overview

Vulnerability Score 7.2 7.2
CVE Id CVE-2005-2372
Last Modified 05 Sep 2008 04:51:35
Published 26 Jul 2005 12:00:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector LOCAL
Access Complexity LOW
Authentication NONE

CVE-2005-2372

Summary

Oracle Forms 4.5 through 10g starts form executables from arbitrary directories and executes them as the Oracle or System user, which allows attackers to execute arbitrary code by uploading a malicious .fmx file and referencing it using an absolute pathname argument in the (1) form or (2) module parameters to f90servlet.

Vulnerable Systems

Application

  • Oracle Forms 10g

  • Oracle Forms 3.0

  • Oracle Forms 4.5

  • Oracle Forms 5.0

  • Oracle Forms 6.0

  • Oracle Forms 6i

  • Oracle Forms 9i


References

MISC - http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html

BUGTRAQ - 20050719 Oracle Security Advisory: Run any OS Command via unauthorized Oracle Forms


Last Updated: 27 May 2016 10:40:30