9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.969 High
EPSS
Percentile
99.7%
Added: 09/27/2017
CVE: CVE-2017-1092
BID: 98615
IBM Informix Dynamic Server (IDS) is an online transaction processing (OLTP) data server for enterprise and workgroup computing. Open Admin Tool (OAT) is an open source, platform-independent tool providing a graphical interface for administrative tasks and performance analysis for IDS.
The **welcomeServer**
SOAP service does not properly validate user input in the **new_home_page**
parameter of the **saveHomePage**
method. This allows arbitrary code to be written to the **config.php**
file which is accessible directly from the Open Admin web root. If successfully exploited, an unauthenticated user could execute arbitrary code as system admin on Windows servers and as an unprivileged user on *nix servers.
Apply the appropriate patches referenced in IBM Security Bulletin: Vulnerabilities in Informix Dynamic Server and Informix Open Admin Tool.
<http://www-01.ibm.com/support/docview.wss?uid=swg22002897>
<https://www.exploit-db.com/exploits/42541/>
Exploit works on IBM Open Admin Tool 3.14 on Informix 12.1 Developer Edition (SUSE Linux 11) virtual appliance.
The Open Admin welcome message in **config.php**
needs to be restored if exploit was successful.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.969 High
EPSS
Percentile
99.7%