Vendor : SAP Application : SAP Inernet Grahic Server (IGS) Affected versions : SAP IGS 7.20, 7.20_EXT, 7.45, 7.49, 7.53 Bug : Multiple vulnerabilities CVSS : 8.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H CVE : …
SAP backward compatibility and spoofing users !
Version Française From older SAP R/3 to the recent SAP Netweaver ABAP system, SAP username and password are stored encrypted directly in database. Fortunately, encryption mechanisms have evolved since 90’s …
The security of ‘SAP Secure Storage’
Version Française What is SAP Secure Storage ? The SAP Secure Store is a SAP component allowing the encrypted storage of sensitive data that SAP application requires for remote login …
Does only one mail could DoS your SAP System ? And more…
Version Française Almost all SAP Netweaver versions natively support SMTP (Simple Mail Transfer Protocol), this enables e-mail exchange between the SAP system and other mail server, without using external components. …
Malware… the entry point could be your SAP System
Version Française Security researchers, from ERPScan, discover a vulnerability on SAP Gui and disclose it during last Troopers Conference. The vulnerability doesn’t impact directly the SAP System but the client …
One year of SAP vulnerabilities
Version Française This 13 December was the last ‘SAP Security Tuesday patch’ of the year. Now it is possible to make some reviews and comments about vulnerabilities patched by SAP …
SAP with Oracle – Authentication problem
Version Française In SAP version prior SAP Netweaver 7.40, for communication between Oracle and SAP purpose, the Oracle database is installed with the remote_os_authent parameter enable. This configuration could creates …
Compromising SAP by exploiting the RFC Gateway
Version Française Some of SAP vulnerabilities couldn’t be ‘patched’, because they do not concern a bug in a program but a bad configuration of a service or component. Sometimes the …
SAP is -also- vulnerable to injections
Version Française In July 2016, SAP has corrected a vulnerability in SAP Netweaver, every versions concerned : a SQL and Code injection, SAP Note 2311011 and 2319506. This bug was …
SAP HANA : Pentest through TREXNet
Version Française In 2016 an important security vulnerability was corrected on the new SAP platform : SAP HANA. An anonymous ‘Remote command Execution’ was possible. The exploitability is more or …