|
SAP Business Connector Arbitrary File Access and Spoofing
|
|
Secunia Advisory:
|
SA18880
|
|
|
Release Date:
|
2006-02-15
|
|
Last Update:
|
2006-05-16
|
|
Popularity:
|
5,371 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Spoofing
Manipulation of data
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | SAP Business Connector 4.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2006-0731
CVE-2006-0732
|
|
Description:
Leandro Meiners has reported two vulnerabilities in SAP Business Connect (BC), which can be exploited by malicious people to conduct spoofing attacks or by malicious users to perform certain actions with escalated privileges.
1) Input passed to the "fullName" parameter in /SAP/chopSAPLog.dsp and /invoke/sap.monitor.rfcTrace/deleteSingle isn't properly validated before being used to read or delete files. This can be exploited to read or delete arbitrary files on the system with privileges of the SAP BC process. The BC process reportedly runs with administrator privileges on Windows systems and with root privileges on UNIX systems by default.
The vulnerability has been reported in versions 4.6 and 4.7.
2) Input passed to the "url" parameter in adapter-index.dsp isn't properly validated being being used to display the specified URL in its own frameset. This can be exploited to conduct spoofing attacks against the SAP BC administrator by e.g. tricking the administrator to click on a link that loads the spoofed web site within a HTML frame.
The vulnerability has been reported in SAP BC Core Fix 7 and prior.
Solution:
The vendor has reportedly released fixes for the vulnerabilities. See SAP note 906401 and 908349 for details.
Provided and/or discovered by:
Leandro Meiners, Cybsec S.A.
Changelog:
2006-02-17: Added CVE references.
2006-05-16: Updated advisory with additional information from Cybsec.
Original Advisory:
http://www.cybsec.com/vuln/CYBSEC_Sec...ary_File_Read_or_Delete_in_SAP_BC.pdf
http://www.cybsec.com/vuln/CYBSEC_Sec...ary_File_Read_or_Delete_in_SAP_BC.pdf
http://www.cybsec.com/vuln/CYBSEC_Sec...dvisory_Phishing_Vector_in_SAP_BC.pdf
http://www.cybsec.com/vuln/CYBSEC_Sec...dvisory_Phishing_Vector_in_SAP_BC.pdf
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
