[WEB SECURITY] Placing shells (backdoors) at web sites

Sebastian Schinzel ssc at seecurity.org
Sun Feb 20 17:51:45 EST 2011


Hello all,

Sorry, I just cannot ignore this bait...

On Feb 20, 2011, at 10:32 PM, MustLive wrote:
> But in my article I told about web applications. How much SAP is used in
> Internet (or in Ethernet) web applications and does it have relations to web
> application at all? Not too much.

SAP offers multiple Web frameworks, e.g. SAP's BSP framework alone has
315.000 hits in Google:
http://www.google.de/search?q=allinurl%3A%22%2Fsap%2Fbc%2Fbsp%22

Quantitatively, this is not much. However, if you look at the domains that run
SAP web applications, you will learn that these web applications are run by 
the big fishes on the web. Furthermore, you can safely bet that on most 
Intranets of large organizations there are many SAP Web apps deployed.

This "WebManager-Pro CMS" in which you found the SQL-Injection has
166.000 hits in Google, most of which are dealing with security bugs:
http://www.google.de/search?q=WebManager-Pro

Now what is relevant on the web again?

>> Yep. And then open up the ABAP functions
> 
> Sebastian and Mike, SAP application security is another field, so earlier,
> before I found this hole last year, there was no (known) such attack vector
> for web applications. And from time when I found this RCE hole in CMS
> WebManager-Pro, the landscape of attack vectors for web applications have
> increased and from that time there is one more variant of placing shells
> (backdoors) at web sites.
> 
> Which must be interesting for webappsec community. Especially for those who haven't worked with SAP ;-).

- Interesting, yes.
- New, no.
- SAP is relevant on the web.

You have found a nice SQL-Injection that is worth an advisory. It is *not*
worth opening a new class of bugs.

Cheers,
Sebastian



More information about the websecurity mailing list