Remote exploitation of a insecure permissions vulnerability in Sybase Inc.'s M-Business Anywhere could allow an attacker to execute privileged commands. This condition can result in account compromise. The Sybase M-Business platform provides a client for desktop and mobile phone device access to a backend M-Business Server. By default the M-Business Server allows a user to self-register and create their own account with limited permissions. A vulnerability exists in the web administration interface where by a regular user can log in and execute scripts meant for exclusive use by the 'admin' user, without requiring any further authentication.
Exploitation of this vulnerability could allow an attacker to gain access to sensitive information hosted on the M-Business Anywhere platform. It is possible for a regular user to list all registered users with the option to edit or change the password, as well as delete any user account by simply accessing a url. Additionally a regular user may create a new group or view the M-Business Server log files.
Sybase M-Business Anywhere server 6.7 (earlier than Windows Build255, SunOS Build257, Linux Build256) and 7.0 (earlier than Windows Build669, SunOS Build670, Linux Build671) are vulnerable.
iDefense is currently unaware of any workarounds for this issue.
Sybase has released a fix which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown.
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
07/06/2011 Initial Vendor Notification
07/07/2011 Vendor Reply
10/14/2011 Coordinated Public Disclosure
This vulnerability was reported to iDefense by AbdulAziz Hariri
Get paid for vulnerability research
Free tools, research and upcoming events
Copyright © 2011 Verisign, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.