PT-2012-24: Directory traversal in SAP NetWeaver
Vulnerable software
SAP NetWeaver
Version: 7.x
Link:
http://sap.com/
Severity level
Severity level: Medium
Impact: Arbitrary File Reading
Access Vector: Remote
CVSS v2:
Base Score: 5.0
Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE: not assigned
Software description
SAP NetWeaver is a special software solution by SAP that is a basis for all SAP Business Suite applications.
Vulnerability description
The specialists of the Positive Research center have detected "Directory traversal" vulnerability in SAP NetWeaver.
The system incorrectly checks reading file name that allows attackers to bypass filtering and read arbitrary files.
How to fix
Update your software up to the latest version
Advisory status
16.07.2012 - Vendor is notified
16.07.2012 - Vendor gets vulnerability details
14.05.2013 - Vendor releases fixed version and details
13.09.2013 - Public disclosure
Credits
The vulnerability was detected by Pavel Toporkov, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2012-24
https://service.sap.com/sap/support/notes/1779578
Reports on the vulnerabilities previously discovered by Positive Research:
http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/