Re: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability
iDefense, CVE or Oracle;
The two iDefense advisories present a bit of confusion over the CVE
assignments and number of vulnerabilities. There appear to be two
vulnerabilities (login.php and common.php) that may have 3 CVE numbers
assigned. Could anyone clarify?
First advisory, mail list post and original jibe suggesting common.php
issue is CVE-2008-5449:
iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration
Server login.php Command Injection Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2009-01/0111.html
The vulnerability is in a function of common.php which is called from the
login.php page.
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-5449 to this issue.
Oracle Secure Backup Administration Server login.php Command Injection
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=769
The vulnerability is in a function of common.php which is called from the
login.php page.
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-5449 to this issue.
Second advisory, mail list post and original do not match, mentioning
CVE-2008-4006 and then CVE-2008-5448 for what appear to be login.php and
common.php. This implies that common.php may have had two CVE assigned:
iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration
Server login.php Command Injection Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2009-01/0110.html
The first vulnerability is in "php/login.php".
The second vulnerability is in "php/common.php".
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4006 to this issue.
Oracle Secure Backup Administration Server login.php Command Injection
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=768
The first vulnerability is in "php/login.php".
The second vulnerability is in "php/common.php".
The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CVE-2008-4006 and CVE-2008-5448 to this issue.
Any clarification would be appreciated.