A security vulnerability in SAP R/3 enterprise software could allow unauthorised access to files, the National Infrastructure Security Coordination Centre has warned.
The security flaw was found in SAP’s Internet Graphics Server (IGS) application, a subcomponent of the SAP R/3 system, by security firm Corsaire. NISCC rated its severity as “high”.
The SAP R/3 enterprise environment is accessible over HTTP and includes a minimal web server function. The security flaw is related to the way the IGS product validates document paths.
Hackers could access documents outside the web root, with the privileges of the user who started the ISG service, by entering an HTTP document path that incorporates a directory traversal (../..) sequence, NISCC warned.
Corsaire recommended upgrading to the latest version of the SAP IGS software, version 6.40 Patch 11, but warned that it was not yet sure whether the patch fully resolved the validation problem.
The IGS product could also be deactivated, the security analysis firm said.