[VIM] Vendor clarification on CVE-2006-0732 (SAP Business Connector)

Steven M. Christey coley at mitre.org
Mon Feb 27 17:42:06 EST 2006 

CVE was contacted by a representative of webMethods regarding
CVE-2006-0732.  As of 2006/02/27, details of the problem are not
available due to researcher's delayed disclosure.  However, the
webMethods representative wanted to provide some additional
clarification.  Since they do not go through public channels like
Bugtraq, they reviewed and agreed with my following summary of their
comments:

  SAP Business Connector is an OEM version of webMethods Integration
  Server.  webMethods states that this issue can only occur when the
  product is installed as root/admin, and if the attacker has access
  to a general purpose port; however, both are discouraged in the
  documentation.  In addition, the attacker must already have acquired
  administrative privileges through other means.


- Steve


======================================================
Name: CVE-2006-0732
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0732
Reference: BUGTRAQ:20060215 CYBSEC - Security Pre-Advisory: Arbitrary File Read/Delete in SAPBC
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/425048/100/0/threaded
Reference: MISC:http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf
Reference: BID:16668
Reference: URL:http://www.securityfocus.com/bid/16668
Reference: FRSIRT:ADV-2006-0611
Reference: URL:http://www.frsirt.com/english/advisories/2006/0611
Reference: SECTRACK:1015639
Reference: URL:http://securitytracker.com/id?1015639
Reference: SECUNIA:18880
Reference: URL:http://secunia.com/advisories/18880

Unspecified vulnerability in SAP Business Connector 4.6 and 4.7 allows
remote attackers to read or delete arbitrary files via unspecified
vectors.  NOTE: This information is based upon a vague initial
disclosure.  Details will be updated after the grace period has ended.
NOTE: SAP Business Connector is an OEM version of webMethods
Integration Server.  webMethods states that this issue can only occur
when the product is installed as root/admin, and if the attacker has
access to a general purpose port; however, both are discouraged in the
documentation.  In addition, the attacker must already have acquired
administrative privileges through other means.

More information about the VIM mailing list