===================================================================== CERT-Renater Note d'Information No. 2005/VULN446 _____________________________________________________________________ DATE : 26/07/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running SAP prior to version 6.40 Patch 11. ====================================================================== NISCC Vulnerability Advisory 228614/NISCC/SAP Directory Traversal Issues with the SAP Internet Graphics Server Product Version Information - ------------------- Advisory Reference 228614/NISCC/SAP Release Date 25 July 2005 Last Revision 18 July 2005 Version Number 1.0 Acknowledgement - --------------- This issue was identified by Corsaire Ltd, a privately owned UK company. What is affected? - ----------------- The following versions of the product are affected: - - SAP prior to version 6.40 Patch 11 Impact - ------ If exploited, this vulnerability can result in unintended information disclosure. Severity - -------- This is rated as high. Summary - ------- The Internet Graphics Server (IGS) is a subcomponent of the SAP R/3 enterprise environment, which is also accessible over HTTP and contains minimalistic web server functionality. The vulnerability is related to how the IGS product validates document paths that is passed to it. The details of this issue were passed to SAP on the 5th July 2005; they have since addressed the problem and have solutions available to rectify the flaw. Please see the 'Solution' section for further details. [Please note that revisions to this advisory will not be notified by email. All subscribers are advised to regularly check the NISCC website (http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this notice.] Details - ------- CVE ID: CAN-2005-1691 By entering an HTTP document path that incorporates a directory traversal sequence to the IGS product, it is possible to access documents outside of the web root with the privileges of the user that was used to start the IGS service. Mitigation - ---------- To minimise the risk of this vulnerability, we suggest the following: . Please ensure that the IGS product is not available externally It is also possible to deactivate the IGS product completely; details on how this can be done are described in the SAP Note 862169. Solution - -------- Please upgrade to the newest stable version of the software. Vendor Information - ------------------ Founded in 1972, SAP is headquartered in Walldorf, Germany. SAP is listed on several exchanges, including the Frankfurt Stock Exchange and the New York Stock Exchange, under the symbol "SAP." For more information regarding SAP, please visit http://www.sap.com/. Credits - ------- This issue was discovered by Corsaire Ltd, who reported the issue to NISCC. The NISCC Vulnerability Team would also like to thank SAP for their co-operation in the handling of this vulnerability. What is NISCC? - -------------- For further information regarding the UK National Infrastructure Security Co-ordination Centre, please visit http://www.niscc.gov.uk. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. C 2005 Crown Copyright ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================