cbcvebase.
CVE-2010-0904
published 2010-07-13

CVE-2010-0904: Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect integrity via unknown vectors.

PriorityP347medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
51.56%
98.8th percentile
Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect integrity via unknown vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
oraclesecure_backup

Detection & IOCsextracted from sources · hover to see the quote

url/login.php
url/property_box.php
commandattempt=1&uname=-
command?type=Job&jlist=0%26<cmd>
cookiePHPSESSID
port443
  • Detect authentication bypass attempt: POST to /login.php with body containing 'attempt=1&uname=-' (dash/empty username) indicating exploitation of the auth bypass in Oracle Secure Backup.
  • Detect command injection attempt: GET request to /property_box.php with query parameters 'type=Job' and 'jlist=0%26' (URL-encoded ampersand) indicating OS command injection via the jlist parameter.
  • Correlate a POST to /login.php with uname=- immediately followed by a GET to /property_box.php using the PHPSESSID cookie obtained from the login response — this two-step sequence is the full exploit chain.
  • The exploit drops and executes a randomly named .exe payload in the current directory; monitor for creation of short random-name executables (4–8 alphanumeric chars + .exe) on Oracle Secure Backup Windows hosts.
  • The underlying vulnerable code passes the unsanitized jlist parameter directly to exec_qr with rbtool lsjob; alert on process executions of rbtool spawned with unexpected arguments containing shell metacharacters.
  • ·The exploit targets Oracle Secure Backup version 10.3.0.1.0 on Windows (Win32) only; the Metasploit module defines a single 'Windows Universal' target and raises an error for other platforms.
  • ·SSL is enabled by default in the exploit module (port 443/HTTPS); network detection rules must inspect TLS-decrypted traffic to catch the attack.
  • ·CVE-2010-0904 covers the authentication bypass in login.php; the jlist command injection vector in property_box.php is a separate, chained issue noted as potentially undisclosed at time of module authorship.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.