[ERPSCAN-11-003] SAP Crystal Reports 2008 — Directory Traversal
Application: SAP Crystal Report Server 2008
Versions Affected: SAP Crystal Report Server 2008
Vendor URL: http://www.sap.com
Bugs: Directory Traversal File Read
Vendor response: 30.03.2010
Date of SAP Security Note Published: 08.10.2010 Date of Public Advisory: 14.01.2011
Author: Dmitry Chastuhin
Directory Traversal vulnerability was found in SAP Crystal Report Server 2008. Directory traversal vulnerability discovered in the module PerformanceManagement application SAP Crystal Report Server 2008, which allows you to read any file.
By exploiting this vulnerability an internal or external attacker will be able to access any files located in the SAP Crystal Reports server file system. With help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.