NISCC reveals SAP R/3 security flaw


NISCC reveals SAP R/3 security flaw

Tash Shifrin

A security vulnerability in SAP R/3 enterprise software could allow unauthorised access to files, the  National Infrastructure Security Coordination Centre has warned.

The security flaw was found in SAP’s Internet Graphics Server (IGS) application, a subcomponent of the SAP R/3 system, by security firm Corsaire. NISCC rated its severity as “high”.

The SAP R/3 enterprise environment is accessible over HTTP and includes a minimal web server function. The security flaw is related to the way the IGS product validates document paths.

Hackers could access documents outside the web root, with the privileges of the user who started the ISG service, by entering an HTTP document path that incorporates a directory traversal (../..) sequence, NISCC warned.

Corsaire recommended upgrading to the latest version of the SAP IGS software, version 6.40 Patch 11, but warned that it was not yet sure whether the patch fully resolved the validation problem.

The IGS product could also be deactivated, the security analysis firm said.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

COMMENTS powered by Disqus  //  Commenting policy