[WEB SECURITY] Placing shells (backdoors) at web sites
Mike.Duncan at noaa.gov
Fri Feb 11 12:44:38 EST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Yep. And then open up the ABAP functions for calls outside of SAP via
RPC which is almost always wide-open for exploitation.
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
On 02/11/2011 04:11 AM, Sebastian Schinzel wrote:
> Dear Mustlive,
> On Feb 10, 2011, at 8:39 PM, MustLive wrote:
>> There are few variants of placing shells (as any other backdoors) at web
>> sites. First two variants are known and third variant - it's new one, which
>> I created last year, when found RCE vulnerability in CMS WebManager-Pro
>> (http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
>> other web applications.
> The third one is long known to anyone with knowledge in SAP application
> security. Applications written in ABAP, SAP's proprietary programming language,
> are stored in the Database. If an attacker gets access to the database of a SAP
> system (ABAP), he can change the code.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the websecurity