... anyone with access to the Axis2 port can gain full access to the machine via arbitrary remote code execution. This requires the attacker to upload a malicious web service and to restart the instance of Tomcat. This issue may apply to other products and vendors that embed the Axis2 component. The username is "admin" and the password is "axis2", this is also the default for standalone Axis2 installations.
For further details please refer to the links below. An exploit is currently available for this.
References:
http://www.kb.cert.org/vuls/id/989719
http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf?bcsi_scan_896CC636179ADAAE=0&bcsi_scan_filename=Hacking%20SAP%20BusinessObjects.pdf
https://websmp230.sap-ag.de/sap/support/notes/1432881 (requires login)
email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Posts
No comments:
Post a Comment