CVE-2003-0449

Name of the Vulnerable Software and Affected Versions: Progress Database versions 9.1 to 9.1D06

Description: The issue allows local users to gain privileges by exploiting the trust in user input to find and load libraries using dlopen(). This can be achieved through manipulating the PATH environment variable to point to malicious libraries, such as libjutil.so in proapsv, or by utilizing the -installdir command line parameter with malicious libraries like librocket r.so in dbagent.

Recommendations: For Progress Database versions 9.1 to 9.1D06, consider restricting access to the dlopen() function or limiting the ability to modify the PATH environment variable and the -installdir command line parameter to prevent privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.