Security Hole in SAP R/3 Could Expose Sensitive Data

By Lisa Vaas  |  Posted 2005-07-26 Print this article Print

A flaw in the Internet Graphics Server application in SAP R/3's enterprise environment could allow unauthenticated access to files.

A security flaw has been discovered in the Internet Graphics Server application in SAP R/3 that could allow unauthenticated access to files. Security alerts aggregator Secunia Inc. rates the flaw as moderately critical, as it threatens exposure of sensitive information to malicious people. The flaw was discovered by the U.K. security assessment provider Corsaire Ltd.
The IGS is a subcomponent of SAP R/3s enterprise environment and is accessible over HTTP via a Web server component. According to Corsaires advisory, by entering an HTTP document path that incorporates a directory traversal (…/…)sequence, documents outside of the Web root can be accessed with the same privileges as those used to start the IGS service.
According to the advisory, the exact path required to perform the traversal differs depending on product implementation and the directory on which its installed. Corsaires advisory goes on to say that IGS apparently doesnt validate the document path thats passed to it before it uses operating system functions to access and retrieve documents. Oracles two most recent cumulative patch updates are flawed themselves. Click here to read more. Corsaire recommends upgrading to the latest version of SAP IGS, Version 6.40, Patch 11. The firm notes in its advisory that it hasnt had time to examine the patch to determine whether it actually resolves the issue, however. Corsaire also notes that if IGS is not required, it can be deactivated using the process described in SAPs Note 862169. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel