CVE-1999-1125 - Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle

CVE-1999-1125

Summary

Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file.

References

http://marc.info/?l=bugtraq&m=87602880019796&w=2

Vulnerable Configurations

cpe:2.3:a:oracle:http_server:1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:1.0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:1.0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:1.0.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:1.0.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:1.0.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:1.0.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:2.1:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 18-10-2016 - 02:01)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

refmap via4

bugtraq

19970919 Instresting practises of Oracle [Oracle Webserver]

Last major update

18-10-2016 - 02:01

Published

19-09-1997 - 04:00

Last modified

18-10-2016 - 02:01