Secunia

Leandro Meiners has reported two vulnerabilities in SAP Business Connect (BC), which can be exploited by malicious people to conduct spoofing attacks or by malicious users to perform certain actions with escalated privileges.

1) Input passed to the "fullName" parameter in /SAP/chopSAPLog.dsp and /invoke/sap.monitor.rfcTrace/deleteSingle isn't properly validated before being used to read or delete files. This can be exploited to read or delete arbitrary files on the system with privileges of the SAP BC process. The BC process reportedly runs with administrator privileges on Windows systems and with root privileges on UNIX systems by default.

The vulnerability has been reported in versions 4.6 and 4.7.

2) Input passed to the "url" parameter in adapter-index.dsp isn't properly validated being being used to display the specified URL in its own frameset. This can be exploited to conduct spoofing attacks against the SAP BC administrator by e.g. tricking the administrator to click on a link that loads the spoofed web site within a HTML frame.

The vulnerability has been reported in SAP BC Core Fix 7 and prior.

Solution
The vendor has reportedly released fixes for the vulnerabilities. See SAP note 906401 and 908349 for details.

Provided and/or discovered by
Leandro Meiners, Cybsec S.A.

Changelog
Further details available in Customer Area

Original Advisory
http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Phishing_Vector_in_SAP_BC.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_BC.pdf

Deep Links
Links available in Customer Area