|
(The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Arbitrary_File_Removal.pdf )
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: SAP Internet Graphics Service (IGS) Remote Arbitrary File Removal
=================
Vulnerability Class: Path Traversal
===================
Release Date: 12/05/2006
============
Affected Applications:
=====================* SAP IGS 6.40 Patchlevel <= 16
* SAP IGS 7.00 Patchlevel <= 6
Affected Platforms:
==================* AIX 64 bits
* HP-UX on IA64 64bit
* HP-UX on PA-RISC 64bit
* Linux on IA32 32bit
* Linux on IA64 64bit
* Linux on Power 64bit
* Linux on x86_64 64bit
* Linux on zSeries 64bit
* OS/400 V5R2M0
* Solaris on SPARC 64bit
* TRU64 64bit
* Windows Server on IA32 32bit
* Windows Server on IA64 64bit
* Windows Server on x64 64bit
Local / Remote: Remote
==============
Severity: High
========
Author: Mariano Nu=F1ez Di Croce
======
Vendor Status:
=============* Confirmed, update released.
Reference to Vulnerability Disclosure Policy:
============================================http://www.cybsec.com/vulnerability_policy.pdf
Product Overview:
================="The IGS provides a server architecture where data from an SAP System or other sources can be used to generate graphical or non-graphical output."
It is important to note that IGS is installed and activated by default with the Web Application Server (versions >= 6.30)
Vulnerability Description:
=========================A specially crafted HTTP request can remove any file located in SAP IGS file-system.
Technical Details:
=================Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to
upgrade affected software prior to technical knowledge been publicly available.
Impact:
======Under UNIX systems, successful exploitation of this vulnerability may allow an attacker to remotely remove files existing on the SAP IGS file-system.
These files must have write permission for SAP System Administrator account (