[WEB SECURITY] Placing shells (backdoors) at web sites

Mike Duncan Mike.Duncan at noaa.gov
Fri Feb 11 12:44:38 EST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yep. And then open up the ABAP functions for calls outside of SAP via
RPC which is almost always wide-open for exploitation.

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center

On 02/11/2011 04:11 AM, Sebastian Schinzel wrote:
> Dear Mustlive,
> 
> On Feb 10, 2011, at 8:39 PM, MustLive wrote:
>> There are few variants of placing shells (as any other backdoors) at web
>> sites. First two variants are known and third variant - it's new one, which
>> I created last year, when found RCE vulnerability in CMS WebManager-Pro
>> (http://websecurity.com.ua/4696/). Similar vulnerabilities also can be in
>> other web applications.
> 
> The third one is long known to anyone with knowledge in SAP application 
> security. Applications written in ABAP, SAP's proprietary programming language,
> are stored in the Database. If an attacker gets access to the database of a SAP
> system (ABAP), he can change the code.
> 
> Cheers,
> Sebastian
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1VdYQACgkQnvIkv6fg9hbIhQCeOfTjTL1vKUl0YhxjyNVooTJ6
S/kAnjME1LI1nYZVLNYU8XfpsBDuqUjl
=vs2M
-----END PGP SIGNATURE-----




More information about the websecurity mailing list