Flaw found in thousands of SAP servers

By on
Flaw found in thousands of SAP servers

Vulnerabilities to be demonstrated at Black Hat.

Thousands of SAP servers on the internet could be affected by vulnerabilities that bypass authentication checks, a researcher will demonstrate at the Black Hat 2011 conference.

Alexander Polyako, chief technology officer at ERPScan, found flaws in the J2EE engine of SAP NetWeaver software that could allow an attacker to assign themselves administrative privileges.

"For example, it is possible to create a user and assign to the administrators group using two unauthorised requests to the system," Polyako said.

"It is also dangerous because that attack is possible on systems protected by two-factor authentication."

The company demonstrated the vulnerabilities with a tool that searches for SAP servers with undisclosed keywords.

It found that "more than half of [detected] servers could be hacked" using the vulnerability.

The vulnerabilities could affect many more SAP servers built with custom configuration, according to Polyako.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?