PT-2012-24: Directory traversal in SAP NetWeaver Vulnerable softwareSAP NetWeaver Version: 7.xLink: http://sap.com/Severity levelSeverity level: Medium Impact: Arbitrary File Reading Access Vector: Remote CVSS v2: Base Score: 5.0 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)CVE: not assignedSoftware descriptionSAP NetWeaver is a special software solution by SAP that is a basis for all SAP Business Suite applications.Vulnerability descriptionThe specialists of the Positive Research center have detected "Directory traversal" vulnerability in SAP NetWeaver.The system incorrectly checks reading file name that allows attackers to bypass filtering and read arbitrary files.How to fixUpdate your software up to the latest versionAdvisory status 16.07.2012 - Vendor is notified 16.07.2012 - Vendor gets vulnerability details 14.05.2013 - Vendor releases fixed version and details 13.09.2013 - Public disclosureCreditsThe vulnerability was detected by Pavel Toporkov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-24 https://service.sap.com/sap/support/notes/1779578 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/