PT-2006-3312 · Sap · E-Business Designer

Published

2006-05-12

Updated

2018-10-18

CVE-2006-2347

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions E-Business Designer (eBD) versions 3.1.4 and earlier

Description The issue allows remote attackers to obtain the full path of the web server by using specific characters, such as '', and possibly other invalid values, in the id parameter to "form grupo.html", or by making requests to the "archivos/" and "files/" directories. This might be related to SQL injection.

Recommendations For E-Business Designer (eBD) versions 3.1.4 and earlier, consider restricting access to the "archivos/" and "files/" directories and validating the id parameter in "form grupo.html" to prevent exploitation until a fix is available. Avoid using invalid values in the id parameter to minimize the risk of path disclosure.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-2347

Affected Products

E-Business Designer

PT-2006-3312 · Sap · E-Business Designer

CVE-2006-2347

Related Identifiers

Affected Products

References · 8