The vulnerability exist due to an error that may occur when the login.php script of the Oracle Secure Backup web-based interface handles global variables. The script reads variables, including the rbtool option, from cookies on client systems. The script then passes the variables to the globals.php file without sanitizing them, which establishes rbtool as a globally recognizable value within the application. The login.php script later uses the rbtool value unsafely during part of a call to the popen() function to execute a program.
An unauthenticated, remote attacker could exploit this vulnerability by accessing the login.php page and supplying a malicious value to rbtool. By performing another action on a script and forcing login.php to attempt to execute a program using rbtool, the attacker could cause the web-based interface to execute a program that is supplied within the malicious rbtool option. This action could allow the attacker to execute arbitrary code. On Windows systems, an attacker could execute code with SYSTEM privileges; however, on Linux and UNIX systems, the code will execute in the security context of the lower-privileged service account.