Summary
Oracle's Web Listener (a component of the Oracle Application Server), is installed and can be used by a remote attacker to run arbitrary commands on the web server.
Read more about this hole at:
http://www.securiteam.com/windowsntfocus/Oracle_Web_Listener_4_0_x_CGI_vulnerability.html
Solution
If 'ows-bin' is the default CGI directory used by the Oracle Application Server Manager, then remove the ows-bin virtual directory or point it to a more benign directory.
If 'ows-bin' is not the default then verify that there are no batch files in this directory.
Severity
Classification
-
CVE CVE-2000-0169 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Struts2 Showcase Skill Name Remote Code Execution Vulnerability
- AlienVault OSSIM Multiple Remote Code Execution Vulnerabilities
- AIOCP 'cp_html2xhtmlbasic.php' Remote File Inclusion Vulnerability
- ATutor < 1.5.1-pl1 Multiple Flaws
- Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution