cbcvebase.
CVE-2009-1977
published 2009-07-14

CVE-2009-1977: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.64%
99.4th percentile
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the July 2009 Oracle CPU. Oracle has not commented on claims from an independent researcher that this vulnerability allows attackers to bypass authentication via unknown vectors involving the username parameter and login.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
oraclesecure_backup

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<TARGET>/login.php
urlhttps://<TARGET>/property_box.php?type=CheckProperties&vollist=<PAYLOAD>
path/login.php
path/property_box.php
cookiePHPSESSID=<token>
commandbutton=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd
filenameosb103shelltmp
path/osb103shelltmp
  • Authentication bypass is triggered by supplying a username value beginning with '--' (double-dash, option-injection style) to the uname parameter in a POST to /login.php, which returns a valid PHPSESSID without correct credentials.
  • Command injection occurs via the 'vollist' GET parameter in /property_box.php with type=CheckProperties; payloads use URL-encoded shell metacharacters (e.g., %26 for '&') to chain OS commands.
  • The attack chain targets Oracle Secure Backup Administration Server over HTTPS; alert on POST requests to /login.php with a uname value starting with '--' followed by GET requests to /property_box.php with a vollist parameter containing URL-encoded shell operators.
  • The vulnerability involves the 'username parameter' in login.php; monitor for anomalous or option-like values (e.g., values starting with '--') in the uname POST field.
  • ·The exploit and Metasploit module were tested specifically against Oracle Secure Backup 10.3.0.1.0 (Win32); the NVD advisory references version 10.2.0.3 as the patched baseline — behavior may differ across versions.
  • ·The PoC exploit requires 'curl' with HTTPS support to be present on the attacker system; the Oracle Secure Backup admin server must be reachable over HTTPS (port 443).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.