A security vulnerability in SAP R/3 enterprise software
could allow unauthorised access to files, the National
Infrastructure Security Coordination Centre has
warned.
The security flaw was found in SAP’s Internet Graphics Server
(IGS) application, a subcomponent of the SAP R/3 system, by
security firm Corsaire. NISCC rated its severity as “high”.
The SAP R/3 enterprise environment is accessible over HTTP and
includes a minimal web server function. The security flaw is
related to the way the IGS product validates document paths.
Hackers could access documents outside the web root, with the
privileges of the user who started the ISG service, by entering an
HTTP document path that incorporates a directory traversal (../..)
sequence, NISCC warned.
Corsaire recommended upgrading to the latest version of the SAP
IGS software, version 6.40 Patch 11, but warned that it was not yet
sure whether the patch fully resolved the validation problem.
The IGS product could also be deactivated, the security analysis
firm said.
