CVE-2003-0748
CVSS5.0
发布时间 :2003-10-20 00:00:00
修订时间 :2008-09-05 16:35:09
NMCOES    

[原文]Directory traversal vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in the ~theme parameter and a ~template parameter with a filename followed by space characters, which can prevent SAP from effectively adding a .html extension to the filename.


[CNNVD]SAP Internet Transaction Server远程目录遍历漏洞(CNNVD-200310-056)

        
        SAP Internet Transaction Server (ITS)是一款基于Internet的事务服务程序。
        SAO ITS服务器由于应用程序错误的解析用户请求和没有正确进行边界缓冲区检查,远程攻击者可以利用这个漏洞访问部分文件源代码或WEB ROOT之外的文件信息。
        通过提供特殊构建的输入给"~theme"和"~template"参数,如提交包含多个'..\..'字符给"~theme"参数,提交包含超长字符串的文件名给"~template"参数就可以绕过应用程序对文件的正确解析,泄露请求的文件内容。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0748
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0748
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-056
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/13066
(VENDOR_ADVISORY)  XF  its-wgatedll-directory-traversal(13066)
http://www.securityfocus.com/bid/8516
(VENDOR_ADVISORY)  BID  8516
http://archives.neohapsis.com/archives/bugtraq/2003-08/0361.html
(VENDOR_ADVISORY)  BUGTRAQ  20030830 SAP Internet Transaction Server

- 漏洞信息

SAP Internet Transaction Server远程目录遍历漏洞
中危 输入验证
2003-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        SAP Internet Transaction Server (ITS)是一款基于Internet的事务服务程序。
        SAO ITS服务器由于应用程序错误的解析用户请求和没有正确进行边界缓冲区检查,远程攻击者可以利用这个漏洞访问部分文件源代码或WEB ROOT之外的文件信息。
        通过提供特殊构建的输入给"~theme"和"~template"参数,如提交包含多个'..\..'字符给"~theme"参数,提交包含超长字符串的文件名给"~template"参数就可以绕过应用程序对文件的正确解析,泄露请求的文件内容。
        

- 公告与补丁

        厂商补丁:
        SAP
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.sap.com/

- 漏洞信息 (23070)

SAP Internet Transaction Server 4620.2.0.323011 Build 46B.323011 Directory Traversal File Disclosure Vulnerability (EDBID:23070)
multiple remote
2003-08-30 Verified
0 Martin Eiszner
N/A [点击下载]
source: http://www.securityfocus.com/bid/8516/info

SAP is said to be prone to a directory traversal vulnerability, potentially allowing users to disclose the contents of sensitive files. The problem occurs due to the application failing to parse user-supplied input for directory traversal sequences (../) and due to correct bounds checking verification, making it possible to bypass the appending of the .html exentsion to requested files. As a result, it may be possible to access sensitive files residing outside of the requested location.

http://www.server.name/scripts/wgate/pbw2/!?

with params:
~language=en&
~runtimemode=DM&
~templatelanguage=&
~language=en&
~theme=..\..&
~template=services\global.srvc+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(where "+" stands for spaces "%20" uri encoded). 		

- 漏洞信息

6449
SAP Internet Transaction Server wgate.dll Traversal Arbitrary File Access
Remote / Network Access Input Manipulation
Loss of Confidentiality Patch / RCS
Vendor Verified

- 漏洞描述

- 时间线

2003-08-30 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, SAP has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SAP Internet Transaction Server Directory Traversal File Disclosure Vulnerability
Input Validation Error 8516
Yes No
2003-08-30 12:00:00 2009-07-11 11:56:00
This vulnerability reported by Martin Eiszner <martin@websec.org>.

- 受影响的程序版本

SAP Internet Transaction Server 4620.2.0.323011 Build 46B.323011

- 漏洞讨论

SAP is said to be prone to a directory traversal vulnerability, potentially allowing users to disclose the contents of sensitive files. The problem occurs due to the application failing to parse user-supplied input for directory traversal sequences (../) and due to correct bounds checking verification, making it possible to bypass the appending of the .html exentsion to requested files. As a result, it may be possible to access sensitive files residing outside of the requested location.

- 漏洞利用

The following proof of concept has been supplied.

http://www.server.name/scripts/wgate/pbw2/!?

with params:
~language=en&amp;
~runtimemode=DM&amp;
~templatelanguage=&amp;
~language=en&amp;
~theme=..\..&amp;
~template=services\global.srvc+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(where "+" stands for spaces "%20" uri encoded).

- 解决方案

It has been reported that this issue has been addressed by SAP, however this information has not been confirmed by Symantec. Users are advised to contact SAP for any further details regarding available fixes.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站