0day.today - наибольшая база данных эксплоитов в мире.
![](/img/logo_green.jpg)
Мы используем один основной домен 0day.today
Если Вы желаете приобрести эксплоит или заплатить за услуги - Вам необходимо приобрести Золото (Gold). Мы не хотим чтобы Вы использовали наш сайт как инструмент для взломов, поэтому любые действия, которые могут незаконно влиять на других пользователей или на сайты, к которым у Вас нет прав доступа будут запрещены и Ваш профиль со всей вложенной информацией будет уничтожен.
Администрация сайта использует официальные контакты. Опасайтесь обманщиков!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Прочитайте [ соглашение ]
- Прочитайте [ Отправить ] правила
- Посетите страницу [ faq ] page
- [ Зарегистрируйте ] профиль
- Получите [ Gold ]
- Если Вы хотите [ продать ]
- Если Вы хотите [ купить ]
- Если Вы потеряли [ Счет ]
- Любые вопросы [ [email protected] ]
- Страница авторизации
- Страница регистрации
- Страница восстановления
- Страница FAQ
- Страница контактов
- Правила публикации
- Страница с соглашением
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Вы можете связаться с нами по:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SAP NetWeaver AS JAVA 7.1 < 7.5 - Directory Traversal
Автор
Риск
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Категория
Дата добавления
CVE
Платформа
Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 Vendor URL: http://SAP.com Bug: Directory traversal Sent: 29.09.2015 Reported: 29.09.2015 Vendor response: 30.09.2015 Date of Public Advisory: 08.03.2016 Reference: SAP Security Note 2234971 Author: Vahagn Vardanyan (ERPScan) Description 1. ADVISORY INFORMATION Title: [ERPSCAN-16-012] SAP NetWeaver AS Java directory traversal vulnerability Advisory ID: [ERPSCAN-16-012] Risk: medium Advisory URL: https://erpscan.com/advisories/erpscan-16-012/ Date published: 08.03.2016 Vendors contacted: SAP 2. VULNERABILITY INFORMATION Class: directory traversal Impact: remotely read file from server Remotely Exploitable: Yes Locally Exploitable: No CVE-2016-3976 CVSS Information CVSS Base Score v3: 7.5 / 10 CVSS Base Vector: AV : Attack Vector (Related exploit range) Network (N) AC : Attack Complexity (Required attack complexity) Low (L) PR : Privileges Required (Level of privileges needed to exploit) None (N) UI : User Interaction (Required user participation) None (N) S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C) C : Impact to Confidentiality Low (L) I : Impact to Integrity None (N) A : Impact to Availability None (N) 3. VULNERABILITY DESCRIPTION An authorized attacker can use a special request to read files from the server and then escalate his or her privileges. 4. VULNERABLE PACKAGES SAP NetWeaver AS JAVA 7.1 - 7.5 Other versions are probably affected too, but they were not checked. 5. SOLUTIONS AND WORKAROUNDS To correct this vulnerability, install SAP Security Note 2234971 6. AUTHOR Vahagn Vardanyan (ERPScan) 7. TECHNICAL DESCRIPTION An attacker can use an SAP NetWeaver function CrashFileDownloadServlet to read files from the server. PoC GET /XXX/CrashFileDownloadServlet?fileName=..\security\data\SecStore.key Disclaimer: According to the partnership agreement between ERPScan and SAP, our company is not entitled to publish any detailed information about detected vulnerabilities before SAP releases a patch. After the release, SAP suggests respecting an implementation time of three months and asks security researchers to not to reveal any details during this time. However, In this case, the vulnerability allows an attacker to read arbitrary files on a remote server, possibly disclosing confidential information, and many such services are exposed to the Internet. As responsible security researchers, ERPScan team made a decision not to disseminate the full PoC even after the specified time. 8. REPORT TIMELINE Send: 29.09.2015 Reported: 29.09.2015 Vendor response: 30.09.2015 Date of Public Advisory: 08.03.2016 9. REFERENCES https://erpscan.com/advisories/erpscan-16-012/ # 0day.today [2024-07-02] #