CVE-2005-2372

Name of the Vulnerable Software and Affected Versions Oracle Forms versions 4.5 through 10g

Description The issue allows attackers to execute arbitrary code by uploading a malicious .fmx file and referencing it using an absolute pathname argument in the form or module parameters to f90servlet. This is possible because Oracle Forms starts form executables from arbitrary directories and executes them as the Oracle or System user.

Recommendations For Oracle Forms versions 4.5 through 10g, consider restricting access to the f90servlet to minimize the risk of exploitation. As a temporary workaround, avoid using absolute pathname arguments in the form or module parameters to f90servlet until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.