[NEWS] SAP Internet Transaction Server Multiple Vulnerabilities

• Previous message: SecuriTeam: "[UNIX] Remote and Local Vulnerabilities In XFree86 Font Libraries"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 2 Sep 2003 15:37:11 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  SAP Internet Transaction Server Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

The ITS product has been found to contain the following vulnerabilities:
 - Path/Information Disclosure
 - Directory Traversal
 - Filename Truncation
 - Arbitrary File Disclosure
 - Cross Site Scripting/Cookie Theft

DETAILS

Vulnerable systems:
 * ITS version 4620.2.0.323011 build 46B.323011

Path/information disclosure:
Insufficient input and output validation on miscellaneous user provided
input allow the insertion of non-existing values for the following user
supplied parameters:
~service
~templatelanguage
~language
~theme
~template

Thus leading to several unwanted error messages that may include sensitive
information on operating system, software version and the directory
structure of the attacked server.

Example:
http://www.server.name/scripts/wgate/pbw2/!?

With the following parameters:
~runtimemode=DM&
~language=en&
~theme=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&

Remarks:
It might be possible that "~template" is an undocumented or forgotten
variable.

Arbitrary file disclosure (Directory Traversal / File Truncation):
Example:
http://www.server.name/scripts/wgate/pbw2/!?

With the following parameters:
~language=en&
~runtimemode=DM&
~templatelanguage=&
~language=en&
~theme=..\..&
~template=services\global.srvc++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

(Where "+" stands for spaces "%20" URI encoded).
The above example will cause the server to respond with the global server
configuration file "global.srvc" on an ITS default-installation.

Normally the default-template extension is concatenated to the rest of the
template information. Most probably, somebody wanted to avoid a possible
buffer overflow by truncating the input values if they exceed a given
length. Thus making it possible to shed the ".html" extension.

For some strange reason now and then, the program responds with an
error-message instead of giving out the requested file. This might be due
to unwanted?/additional? HTTP-Request-Header information.

Remarks:
The global configuration file "global.srvc" contains username and
des-encrypted password
~password des26(2c94f116f4393f3d)
~login Master

A good DES-cracker should be able to crack this password-hash either by
using wordlists or by brute-force methods.

Cross Site Scripting/Cookie Theft:
Insufficient input and output validation on miscellaneous user input
parameters enables insertion of HTML/client side scripting tags.

Example:
http://www.server.name/scripts/wgate.dll?

With the following parameters:
~service=--><img%09src=javascript:alert(1)%3bcrap

Remarks:
Due to excessive usage of cookies for managing sessions and/or states,
cookie-theft is very likely. There might be several other locations where
HTML/scripting tags can be inserted.

Vendor Status:
The vendor has been contacted on 02.08.2003, and has issued patches.

Vendor Patches:
SAP recommends looking into advice 598074, 595383, and 654038.

ADDITIONAL INFORMATION

The information has been provided by <mailto:martin@websec.org> Martin
Eiszner of SEC-CONSULT.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Remote and Local Vulnerabilities In XFree86 Font Libraries"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]