It has been detected that many of the available methods in the sapstartsrv SOAP server do not require user authentication, allowing remote and
unauthenticated users to obtain sensitive information from the SAP system, such as the list of log files and their content, profile parameters,
developer traces, etc.
Furthermore, some of the unauthenticated methods perform security sensitive operations that may impact over the integrity, confidentiality and/or
availability of the SAP system.
Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their
systems and protect against the exploitation of the described vulnerability.
- - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-002
No comments:
Post a Comment