|
|
| |
With WebTransactions openSEAS provides "a product which allows approved host applications to be used in new business processes and modern application scenarios. WebTransactions provides all possibilities to prepare existing host applications for new web based scenarios. Host applications and data can be used via Standard Web browser without need to change anything on the host side".
Fujitsu-Siemens WebTransactions is vulnerable to remote command injection due to insufficient input validation. Under certain conditions, WBPublish.exe passes unvalidated user input to the system() function when cleaning up temporary session data. This vulnerability allows an attacker to execute arbitrary commands on the affected system. The vulnerability does not require prior authentication and can be exploited from a web browser. |
| |
Credit:
The information has been provided by Bernhard Mueller.
The original article can be found at: http://www.sec-consult.com/files/20081219-0_fujitsu-siemens_webta_cmdexec.txt
|
| |
Vulnerable Systems:
* Fujitsu-Siemens WebTransactions version 7.1 and prior
Vendor status:
Vendor notified: 2008-05-16
Vendor response: 2008-05-16
Oatch available: 2008-06-18
A patch and vendor advisory for this vulnerability is available at:
http://bs2www.fujitsu-siemens.de/update/securitypatch.htm
|
|
|
