Over Half Of SAP Servers On The Internet Are Vulnerable To Attack, Researcher Says

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/security/application-security/231003085/over-half-of-sap-servers-on-the-internet-are-vulnerable-to-attack-researcher-says.html

By Tim Wilson
Dark Reading
Aug 01, 2011

A researcher has discovered a critical set of security vulnerabilities 
that afflicts more than half of SAP servers on the Internet.

At the Black Hat USA conference in Las Vegas this week, SAP security 
expert Alexander Polyakov will outline a new issue he has found with the 
industry's most popular enterprise resource planning (ERP) application, 
SAP.

The new class of vulnerabilities could enable an attacker to gain 
control of a company's financial flow, providing the path for espionage, 
sabotage, or fraud, Polyakov says in a press release.

The flaw, which Polyakov foun in the J2EE engine of SAP's NetWeaver 
software, allows and attacker to bypass authorization checks. "For 
example, it is possible to create a user and assign him to the 
administrators' group using two unauthorized requests to the system, the 
release states. The attack works even when systems are protected by 
two-factor authentication.

[...]


___________________________________________________________
Attend Black Hat USA 2011, hosted at Caesars Palace in
Las Vegas, Nevada July 30-Aug 4, offering over 60 training
sessions and 9 tracks of Briefings from security industry elite.
To sign up visit: http://www.blackhat.com