[ERPSCAN-13-004] SAP NetWeaver DI - Arbitrary file upload - ERPScan
DSECRG Advisories

[ERPSCAN-13-004] SAP NetWeaver DI – Arbitrary file upload

Application: SAP NetWeaver J2EE
Versions Affected: SAP NetWeaver
Vendor URL: http://www.sap.com
Bugs: Arbitrary file upload/Security bypass
Exploits: YES
Reported: 11.12.2012
Vendor response: 12.12.2012
Date of SAP Security Note Published: 12.02.2013
Date of Public Advisory: 20.02.2013
Reference: SAP Security Note 1757675
Author:Dmitry Chastukhin (ERPScan)

Description
An attacker can upload arbitrary files to SAP server without authorization.

Business Risk
The vulnerability can lead to uploading any file to SAP web server without authorization. An attacker can use it to upload a backdoor and obtain full access to SAP system.