Re: iDefense Security Advisory 01.13.09: Oracle Secure Backup- Administration Server login.php Command Injection Vulnerability

From: security curmudgeon <jericho@attrition.org>
To: bugtraq@securityfocus.com
Cc: secalert_us@oracle.com,CVE <cve@mitre.org>
Subject: Re: iDefense Security Advisory 01.13.09: Oracle Secure Backup- Administration Server login.php Command Injection Vulnerability
Date:



iDefense, CVE or Oracle;

The two iDefense advisories present a bit of confusion over the CVE 
assignments and number of vulnerabilities. There appear to be two 
vulnerabilities (login.php and common.php) that may have 3 CVE numbers 
assigned. Could anyone clarify?

First advisory, mail list post and original jibe suggesting common.php 
issue is CVE-2008-5449:

iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration 
Server login.php Command Injection Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2009-01/0111.html
The vulnerability is in a function of common.php which is called from the 
login.php page.
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-5449 to this issue.

Oracle Secure Backup Administration Server login.php Command Injection 
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=769
The vulnerability is in a function of common.php which is called from the 
login.php page.
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-5449 to this issue.


Second advisory, mail list post and original do not match, mentioning 
CVE-2008-4006 and then CVE-2008-5448 for what appear to be login.php and 
common.php. This implies that common.php may have had two CVE assigned:

iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration 
Server login.php Command Injection Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2009-01/0110.html
The first vulnerability is in "php/login.php".
The second vulnerability is in "php/common.php". 
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-4006 to this issue.

Oracle Secure Backup Administration Server login.php Command Injection 
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=768
The first vulnerability is in "php/login.php". 
The second vulnerability is in "php/common.php".
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
names CVE-2008-4006 and CVE-2008-5448 to this issue. 


Any clarification would be appreciated.





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.