• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1718408 - Directory Traversal in database interface

Главная Специалистам База уязвимостей Note 1718408 - Directory Traversal in database interface

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1718408-3) SAP Support Packages (SAPKW70030, SAPKW70113, SAPKW70212, SAPKW71015, SAPKW71110, SAPKW72008, SAPKW73008, SAPKW73105)
Описание
The database interface of BW fails to correctly validate the path to  which a user-submitted file is written. As a result, an attacker can potentially overwrite data in the remote system.
Как исправить
BW fails to correctly validate the path to which a user-submitted file is written. As a result, an attacker can potentially overwrite data in the remote system.
After you implement the corrections, only the following directories can be selected:
UNIX: /tmp/<FILENAME>
WINDOWS NT: <P=DIR_TEMP>\<FILENAME>

If you try to write data under UNIX to /usr/sap/put/my_data, the system rejects this.
The settings are defined in transaction /NFILE.
Logical File Path Definition: BW_RSDR
Logical File Name Definition, Cross-Client: BW_RSDR and implement the corrections.
Ссылки