[原文]Oracle Forms 4.5 through 10g starts form executables from arbitrary directories and executes them as the Oracle or System user, which allows attackers to execute arbitrary code by uploading a malicious .fmx file and referencing it using an absolute pathname argument in the (1) form or (2) module parameters to f90servlet.
Oracle Forms f90servlet module Parameter Arbitrary fmx Execution
Remote / Network Access
Loss of Integrity
Oracle Forms contains a flaw that may allow an attacker to run arbitrary forms executables under elevated privileges. The issue is due to the f90servlet script not properly restricting arguments to the 'form' variable, allowing an attacker to provide a path to any .fmx file. If the attacker can create or upload their own .fmx file on the server, they can trivially execute it via the web server, run under SYSTEM privileges.
Currently, there are no known upgrades to correct this issue. However, Alexander Kornbrust has released an unofficial patch to address this vulnerability.