Public Vulnerability Reports

Sybase M-Business Anywhere Insecure Permissions Vulnerability

14.10.11

BACKGROUND

Sybase M-Business is an application platform for delivering web-based applications and content to mobile devices. The platform supports on-device Mobile Dynamic HTML, CSS Style Attributes, JavaScript, Databases and the Document Object Model. For more information about Sybase M-Business, please the visit following website:

http://www.sybase.com/products/allproductsa-z/m-businessanywhere

DESCRIPTION

Remote exploitation of a insecure permissions vulnerability in Sybase Inc.'s M-Business Anywhere could allow an attacker to execute privileged commands. This condition can result in account compromise. The Sybase M-Business platform provides a client for desktop and mobile phone device access to a backend M-Business Server. By default the M-Business Server allows a user to self-register and create their own account with limited permissions. A vulnerability exists in the web administration interface where by a regular user can log in and execute scripts meant for exclusive use by the 'admin' user, without requiring any further authentication.

ANALYSIS

Exploitation of this vulnerability could allow an attacker to gain access to sensitive information hosted on the M-Business Anywhere platform. It is possible for a regular user to list all registered users with the option to edit or change the password, as well as delete any user account by simply accessing a url. Additionally a regular user may create a new group or view the M-Business Server log files.

DETECTION

Sybase M-Business Anywhere server 6.7 (earlier than Windows Build255, SunOS Build257, Linux Build256) and 7.0 (earlier than Windows Build669, SunOS Build670, Linux Build671) are vulnerable.

WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VENDOR RESPONSE

Sybase has released a fix which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown.

http://www.sybase.com/detail?id=1095200

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

DISCLOSURE TIMELINE

07/06/2011 Initial Vendor Notification
07/07/2011 Vendor Reply
10/14/2011 Coordinated Public Disclosure

CREDIT

This vulnerability was reported to iDefense by AbdulAziz Hariri

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2011 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.