Oracle Business Transaction Management Server ‘deleteFile()’ Arbitrary File Deletion Vulnerability

Summary

Oracle Business Transaction Management Server is prone to a vulnerability that let attackers delete arbitrary files on an affected computer in the context of the web server.

Credit:

The original article can be found at: http://www.securityfocus.com/bid/54870
The information has been provided by Jordi Chancel .


Details

Vulnerable Systems:
 *Oracle Business Transaction Management Server ‘deleteFile()’ Arbitrary File Deletion Vulnerability

Attackers can exploit this issue with directory-traversal strings (‘../’) to delete arbitrary files; this may aid in launching further attacks.Oracle Business Transaction Management Server 12.1.0.2.7 is vulnerable; prior versions may also be affected.

Vendor Status:
Currently we are not aware of any vendor-supplied patches

Disclosure Timeline:
Initial Release: Aug 07 2012

Categories: News