Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

SAP DB / MaxDB Cons Program Arbitrary Command Execution



The remote database service allows execution of arbitrary commands.


The version of SAP DB / MaxDB installed on the remote host fails to sanitize user-supplied input to the 'show' and 'exec_sdbinfo' commands before passing it to a 'system()' call. An unauthenticated remote attacker can leverage this issue to execute arbitrary commands on the affected host subject to the privileges under which the service operates, which under Windows is SYSTEM.


No solution is known at this time.