[WEB SECURITY] Placing shells (backdoors) at web sites

Sebastian Schinzel ssc at seecurity.org
Fri Feb 11 04:11:20 EST 2011


Dear Mustlive,

On Feb 10, 2011, at 8:39 PM, MustLive wrote:
> There are few variants of placing shells (as any other backdoors) at web
> sites. First two variants are known and third variant - it's new one, which
> I created last year, when found RCE vulnerability in CMS WebManager-Pro
> (http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
> other web applications.

The third one is long known to anyone with knowledge in SAP application 
security. Applications written in ABAP, SAP's proprietary programming language,
are stored in the Database. If an attacker gets access to the database of a SAP
system (ABAP), he can change the code.

Cheers,
Sebastian



More information about the websecurity mailing list