search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

SAP Internet Graphics Service buffer overflow

Vulnerability Note VU#259540

Original Release Date: 2007-01-19 | Last Revised: 2007-01-19

Overview

SAP Internet Graphics Service contains a buffer overflow. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

According to SAP,

The Internet Graphics Service (IGS) constitutes the infrastructure to enable the application developer to display graphics in an Internet browser with a minimum of effort.
The IGS fails to properly handle HTTP requests allowing a heap-based buffer overflow to occur. Note the IGS is is enabled by default in certain versions of the SAP Web Application Server.

This vulnerability may be triggered by sending a specially crafted HTTP request to a vulnerable IGS installation.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system, possibly with elevated privileges.

Solution

According to public reports, SAP has addressed this issue. More information is available SAP Note 968423.

Vendor Information

259540
 
Expand all

SAP Unknown

Updated:  January 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by Mariano Nu༞z Di Croce.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 11.55
Date Public: 2007-01-18
Date First Published: 2007-01-19
Date Last Updated: 2007-01-19 16:26 UTC
Document Revision: 10

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis