CVE-2012-1289

Name of the Vulnerable Software and Affected Versions SAP NetWeaver version 7.0

Description The issue allows remote authenticated users to read arbitrary files via a .. (dot dot) in the logfilename parameter to API endpoints such as "b2b/admin/log.jsp" or "b2b/admin/log view.jsp" in the Internet Sales component, or "ipc/admin/log.jsp" or "ipc/admin/log view.jsp" in the Application Administration component.

Recommendations For SAP NetWeaver version 7.0, as a temporary workaround, consider restricting access to the vulnerable API endpoints "b2b/admin/log.jsp", "b2b/admin/log view.jsp", "ipc/admin/log.jsp", and "ipc/admin/log view.jsp" to minimize the risk of exploitation. Avoid using the logfilename parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.