A vulnerability that affects SAP's MaxDB hasn't garnered any bids yet on a controversial auction site for computer vulnerabilities.
If exploited, the problem would let an attacker access the entire contents of the database, according to Wabisabilabi, which is offering proof-of-concept code and details on its vulnerability auction site. Bidding starts at ¬3,000 (US$4,407).
"The result can be scary," said Wabisabilabi on its blog.
Wabisabilabi, based in Switzerland, started its vulnerability auction site in July on the premise that security researchers aren't adequately compensated for their work and could sell zero-day vulnerabilities on the black market.
Wabisabilabi's site lets security researchers submit vulnerabilities for auction. Wabisabilabi said it will only sell vulnerabilities to qualified researchers who aren't going to do anything malicious. Nonetheless, the security community has questioned whether Wabisabilabi's business premise is ethical.
According to Wabisabilabi's blog, the MaxDB vulnerability is easy to exploit. It affects Linux machines running the latest version of MaxDB, 7.6.00.37, and Windows machines running version 7.6.00.37. The problem could also affect other versions of the database.
An attacker could send a specially crafted request to the listening port of the vulnerable MaxDB service. The command would be executed with the credentials of the user running the process. Then, an attacker could "dump the content of the whole database," Wabisabilabi wrote.
Wabisabilabi said it's rare to find a database running open on the Internet, but more common within corporate intranets.
An SAP official contacted in Germany did not have an immediate comment.
- Sponsored Resource:Are you ready for virtualization? Try the sever assessment tool.
- Sponsored Resource:Stay at home servers. Learn more about a home server for your family.
- Sponsored Resource:Get the communications, data, and security a business needs in one neat package. Learn more.
- Sponsored Resource:Learn more about ultra light notebooks from Asus and the best warranty in the industry.
- Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
- Sponsored Resource:Get the truth about remanufactured ink. Learn more from HP.
- Sponsored Resource:Small budget, big impact. Create Brochures that pop with HP laser jets printers.
- Sponsored Resource:Six smart ways to grow small business IT
News For Your Business
- Symantec Warns of New Word Attack
- The Internet Gets a Patch, as DNS Bug Is Fixed
- TrueCrypt 6.0 Improves Data Security Performance
- Groups: Targeted Ad Program May Be Illegal
- Don't Give Google a Free Pass on Data Collection
Community Comments