0day.today - Największa Baza Exploitów na Świecie.
![](/img/logo_green.jpg)
- Korzystamy z jednej głównej domeny: http://0day.today
- Większość materiałów jest kompletnie DARMOWA
- Jeżeli chcesz kupić exploita / zdobyć dostęp V.I.P lub zapłacić za którąś z usług,
musisz zakupić lub zdobyćGOLD
Administracja tej strony używa oficjalnej strony kontaktowej. Uważaj na oszustów!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Przeczytaj [ ugoda ]
- Przeczytaj [ Wyślij ] zasady
- Odwiedź [ faq ] strona
- [ Zarejestruj ] profil
- Zdobądź [ GOLD ]
- Jeżeli chcesz [ sprzedaj ]
- Jeżeli chcesz [ kup ]
- Jeżeli stracisz [ Konto ]
- Jakiekolwiek pytania [ [email protected] ]
- Strona autoryzacyjna
- Strona rejestracyjna
- Odzyskiwanie konta
- Strona FAQ
- Strona kontaktowa
- Zasady publikowania
- Strona
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Możesz się z nami skonaktować przez:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SAP NetWeaver AS JAVA 7.1 < 7.5 - Directory Traversal
Autor
Ryzyko
![](/img/risk/critlow_3.gif)
Wysokie Zagrożenie Bezpieczeństwa
]0day-ID
Kategoria
Data dodania
CVE
Platforma
Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL: http://SAP.com Bug: Directory traversal Sent: 29.09.2015 Reported: 29.09.2015 Vendor response: 30.09.2015 Date of Public Advisory: 08.03.2016 Reference: SAP Security Note 2234971 Author: Vahagn Vardanyan (ERPScan) Description 1. ADVISORY INFORMATION Title: [ERPSCAN-16-012] SAP NetWeaver AS Java directory traversal vulnerability Advisory ID: [ERPSCAN-16-012] Risk: medium Advisory URL: https://erpscan.com/advisories/erpscan-16-012/ Date published: 08.03.2016 Vendors contacted: SAP 2. VULNERABILITY INFORMATION Class: directory traversal Impact: remotely read file from server Remotely Exploitable: Yes Locally Exploitable: No CVE-2016-3976 CVSS Information CVSS Base Score v3: 7.5 / 10 CVSS Base Vector: AV : Attack Vector (Related exploit range) Network (N) AC : Attack Complexity (Required attack complexity) Low (L) PR : Privileges Required (Level of privileges needed to exploit) None (N) UI : User Interaction (Required user participation) None (N) S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C) C : Impact to Confidentiality Low (L) I : Impact to Integrity None (N) A : Impact to Availability None (N) 3. VULNERABILITY DESCRIPTION An authorized attacker can use a special request to read files from the server and then escalate his or her privileges. 4. VULNERABLE PACKAGES SAP NetWeaver AS JAVA 7.1 - 7.5 Other versions are probably affected too, but they were not checked. 5. SOLUTIONS AND WORKAROUNDS To correct this vulnerability, install SAP Security Note 2234971 6. AUTHOR Vahagn Vardanyan (ERPScan) 7. TECHNICAL DESCRIPTION An attacker can use an SAP NetWeaver function CrashFileDownloadServlet to read files from the server. PoC GET /XXX/CrashFileDownloadServlet?fileName=..\security\data\SecStore.key Disclaimer: According to the partnership agreement between ERPScan and SAP, our company is not entitled to publish any detailed information about detected vulnerabilities before SAP releases a patch. After the release, SAP suggests respecting an implementation time of three months and asks security researchers to not to reveal any details during this time. However, In this case, the vulnerability allows an attacker to read arbitrary files on a remote server, possibly disclosing confidential information, and many such services are exposed to the Internet. As responsible security researchers, ERPScan team made a decision not to disseminate the full PoC even after the specified time. 8. REPORT TIMELINE Send: 29.09.2015 Reported: 29.09.2015 Vendor response: 30.09.2015 Date of Public Advisory: 08.03.2016 9. REFERENCES https://erpscan.com/advisories/erpscan-16-012/ # 0day.today [2024-07-02] #