NISCC reveals SAP R/3 security flaw


NISCC reveals SAP R/3 security flaw

Tash Shifrin

A security vulnerability in SAP R/3 enterprise software could allow unauthorised access to files, the  National Infrastructure Security Coordination Centre has warned.

The security flaw was found in SAP’s Internet Graphics Server (IGS) application, a subcomponent of the SAP R/3 system, by security firm Corsaire. NISCC rated its severity as “high”.

The SAP R/3 enterprise environment is accessible over HTTP and includes a minimal web server function. The security flaw is related to the way the IGS product validates document paths.

Hackers could access documents outside the web root, with the privileges of the user who started the ISG service, by entering an HTTP document path that incorporates a directory traversal (../..) sequence, NISCC warned.

Corsaire recommended upgrading to the latest version of the SAP IGS software, version 6.40 Patch 11, but warned that it was not yet sure whether the patch fully resolved the validation problem.

The IGS product could also be deactivated, the security analysis firm said.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy