[ERPSCAN-13-004] SAP NetWeaver DI – Arbitrary file upload

DSECRG Advisories

Application: SAP NetWeaver J2EE
Versions Affected: SAP NetWeaver
Vendor URL: http://www.sap.com
Bugs: Arbitrary file upload/Security bypass
Exploits: YES
Reported: 11.12.2012
Vendor response: 12.12.2012
Date of SAP Security Note Published: 12.02.2013
Date of Public Advisory: 20.02.2013
Reference: SAP Security Note 1757675
Author:Dmitry Chastukhin (ERPScan)

An attacker can upload arbitrary files to SAP server without authorization.

Business Risk
The vulnerability can lead to uploading any file to SAP web server without authorization. An attacker can use it to upload a backdoor and obtain full access to SAP system.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: