PT-2012-61: XML External Entities Injection in SAP Sybase ASE
Vulnerable software
SAP Sybase ASE
Version: 15.7 ESD 2 and earlier
Link:
http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise
Severity level
Severity level: Medium
Impact: File System Access
Access Vector: Remote
CVSS v2:
Base Score: 4.0
Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE: CVE-2013-6025
Software description
SAP Sybase ASE is a relative database management system developed by SAP.
Vulnerability description
The specialists of the Positive Research center have detected an XML External Entities Injection vulnerability in SAP Sybase ASE.
The vulnerability was detected in the xmlparse procedure in SAP Sybase ASE. Using a specially crafted SQL request, unprivileged user is able to read arbitrary files with privileges of the user that run ASE.
How to fix
Update your software up to the latest version
Advisory status
27.12.2012 - Vulnerability details were sent to CERT
10.09.2013 - Vendor releases fixed version and details
24.10.2013 - Public disclosure
Credits
The vulnerability was detected by Igor Bulatenko, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2012-61
https://service.sap.com/sap/support/notes/1887341
http://www.kb.cert.org/vuls/id/303900
Reports on the vulnerabilities previously discovered by Positive Research:
http://www.ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/