(The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Arbitrary_File_Removal.pdf )
CYBSEC S.A.
www.cybsec.com
http://www.cybsec.com/vulnerability_policy.pdf
"The IGS provides a server architecture where data from an SAP System or other sources can be used to
generate graphical or non-graphical output."
It is important to note that IGS is installed and activated by default with the Web Application Server
(versions >= 6.30)
A specially crafted HTTP request can remove any file located in SAP IGS file-system.
Technical details will be released three months after publication of this pre-advisory. This was
agreed upon with SAP to allow their customers to
upgrade affected software prior to technical knowledge been publicly available.
Under UNIX systems, successful exploitation of this vulnerability may allow an attacker to remotely
remove files existing on the SAP IGS file-system.
These files must have write permission for SAP System Administrator account (<SID>adm).
Under Microsoft Windows systems, successful exploitation of this vulnerability may allow an attacker
to remove any files existing on the SAP IGS
file-system.
SAP has released patches to address this vulnerability. Affected customers should apply the patches
immediately.
Thanks goes to Carlos Diaz and Victor Montero.
For more information regarding the vulnerability feel free to contact the author at mnunez {at}
cybsec.com. Please bear in mind that technical details
will be disclosed to the general public three
months after the release of this pre-advisory.
For more information regarding CYBSEC: www.cybsec.com
(c) 2006 - CYBSEC S.A. Security Systems