Vendor : SAP Application : SAP Inernet Grahic Server (IGS) Affected versions : SAP IGS 7.20, 7.20_EXT, 7.45, 7.49, 7.53 Bug : Multiple vulnerabilities CVSS : 8.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H CVE : …
SAP backward compatibility and spoofing users !
Version Française [x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline] From older SAP R/3 to the recent SAP Netweaver ABAP system, SAP username and password are stored encrypted directly in database. Fortunately, encryption mechanisms …
The security of ‘SAP Secure Storage’
Version Française [x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline] What is SAP Secure Storage ? The SAP Secure Store is a SAP component allowing the encrypted storage of sensitive data that SAP application …
Does only one mail could DoS your SAP System ? And more…
Version Française [x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline] Almost all SAP Netweaver versions natively support SMTP (Simple Mail Transfer Protocol), this enables e-mail exchange between the SAP system and other mail server, …
Malware… the entry point could be your SAP System
Version Française [x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline] Security researchers, from ERPScan, discover a vulnerability on SAP Gui and disclose it during last Troopers Conference. The vulnerability doesn’t impact directly the SAP …
One year of SAP vulnerabilities
Version Française [x_custom_headline type=”left” level=”h4″ looks_like=”h4″]Quick review[/x_custom_headline] This 13 December was the last ‘SAP Security Tuesday patch’ of the year. Now it is possible to make some reviews and comments …
SAP with Oracle – Authentication problem
Version Française [x_custom_headline type=”left” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline] In SAP version prior SAP Netweaver 7.40, for communication between Oracle and SAP purpose, the Oracle database is installed with the remote_os_authent parameter enable. …
Compromising SAP by exploiting the RFC Gateway
Version Française [x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline] Some of SAP vulnerabilities couldn’t be ‘patched’, because they do not concern a bug in a program but a bad configuration of a service …
SAP is -also- vulnerable to injections
Version Française [x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline] In July 2016, SAP has corrected a vulnerability in SAP Netweaver, every versions concerned : a SQL and Code injection, SAP Note 2311011 and …
SAP HANA : Pentest through TREXNet
Version Française [x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline] In 2016 an important security vulnerability was corrected on the new SAP platform : SAP HANA. An anonymous ‘Remote command Execution’ was possible. The …