Security Hole in SAP R/3 Could Expose Sensitive Data

A security flaw has been discovered in the Internet Graphics Server application in SAP R/3 that could allow unauthenticated access to files.

Security alerts aggregator Secunia Inc. rates the flaw as moderately critical, as it threatens exposure of sensitive information to malicious people.

The flaw was discovered by the U.K. security assessment provider Corsaire Ltd.

The IGS is a subcomponent of SAP R/3s enterprise environment and is accessible over HTTP via a Web server component. According to Corsaires advisory, by entering an HTTP document path that incorporates a directory traversal (…/…)sequence, documents outside of the Web root can be accessed with the same privileges as those used to start the IGS service.

According to the advisory, the exact path required to perform the traversal differs depending on product implementation and the directory on which its installed.

Corsaires advisory goes on to say that IGS apparently doesnt validate the document path thats passed to it before it uses operating system functions to access and retrieve documents.

/zimages/2/28571.gifOracles two most recent cumulative patch updates are flawed themselves. Click here to read more.

Corsaire recommends upgrading to the latest version of SAP IGS, Version 6.40, Patch 11. The firm notes in its advisory that it hasnt had time to examine the patch to determine whether it actually resolves the issue, however.

Corsaire also notes that if IGS is not required, it can be deactivated using the process described in SAPs Note 862169.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.