Application: SAP NetWeaver AS ABAP
Versions Affected: SAP NetWeaver AS ABAP 7.4
Vendor URL: SAP
Bugs: Directory traversal
Vendor response: 23.04.2016
Date of Public Advisory: 08.08.2016
Reference: SAP Security Note 2312966
Author: Daria Prosochkina (ERPScan)
An attacker may be able to read the contents of unexpected files and expose sensitive data. If a targeted file is used as a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
An attacker can use Directory traversal to access to arbitrary files and directories located in an SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.