• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Security hole

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Security hole

    Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).

    If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.
    Down with racism. Long live miscegenation!

    #2
    Originally posted by NotAllThere View Post
    Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).

    If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.
    And now it's public
    Knock first as I might be balancing my chakras.

    Comment


      #3
      Originally posted by NotAllThere View Post
      Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).

      If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.
      If they had the right userid and password what is the problem?

      Comment


        #4
        Originally posted by minestrone View Post
        If they had the right userid and password what is the problem?
        Does this mean the user id and password is hard coded?
        Knock first as I might be balancing my chakras.

        Comment


          #5
          Originally posted by suityou01 View Post
          And now it's public
          Security by obscurity is no security at all. Security holes should be published and fixed. This ones been around for years but not been addressed. It's a general principle in the security industry that you talk about weaknesses, so they can be fixed.

          Originally posted by minestrone View Post
          If they had the right userid and password what is the problem?
          Programs in SAP are developed on a development box, moved to a test box, and when all is well, moved to a live box. There should be no way of writing arbitary programs directly in a live system.

          The third party tool is designed to read data from a SAP system. The userid and password are restricted to only run code in this particular function group. But one of the components of the group allows the user to write and run a program on the fly. Hence a userid that's supposed to be read only suddenly has all power. The system is wide open. Knowing the userid and password, I can write a program in .net or a development SAP system or whatever, that injects abap code into a live SAP system to fund my pension plan, for example. Or read confidential information for later publication.

          Later versions of the function group may be ok, but this particular code is outside of SAPs normal support package/note/patch procedures. It is entirely likely that there are customers who are running older versions, which most definitely are insecure. I was asked, just yesterday, to install one, so this is not a theoretical issue.

          (The product manager swore blind that the code we had hadn't originated from SAP, until I sent him the file containing it...).
          Down with racism. Long live miscegenation!

          Comment


            #6
            Originally posted by NotAllThere View Post
            Security by obscurity is no security at all.
            And a security hole no one knows exists?
            Knock first as I might be balancing my chakras.

            Comment


              #7
              Originally posted by suityou01 View Post
              And a security hole no one knows exists?
              There is a hole in your mind...

              Comment


                #8
                Originally posted by suityou01 View Post
                And a security hole no one knows exists?
                How do you know no-one knows. You don't. People who wish to exploit it won't want to tell. Google "bike lock bic pen"

                Originally posted by AtW View Post
                There is a hole in your mind...
                The avalanche has already started. It is too late for the pebbles to vote
                Down with racism. Long live miscegenation!

                Comment


                  #9
                  Originally posted by NotAllThere View Post
                  How do you know no-one knows. You don't. People who wish to exploit it won't want to tell. Google "bike lock bic pen"

                  The avalanche has already started. It is too late for the pebbles to vote
                  Yeah well they know now don't they gobby

                  he he he
                  Knock first as I might be balancing my chakras.

                  Comment


                    #10
                    Originally posted by NotAllThere View Post
                    Security by obscurity is no security at all. Security holes should be published and fixed. This ones been around for years but not been addressed. It's a general principle in the security industry that you talk about weaknesses, so they can be fixed.
                    Agreed in general, but finding a hole and publishing it on the WWW is not the right approach because even if the author fixes it immediately, it could take a while to propagate. Better to inform the vendor first, and let them know you will go public in the near future.
                    Originally posted by MaryPoppins
                    I'd still not breastfeed a nazi
                    Originally posted by vetran
                    Urine is quite nourishing

                    Comment

                    Working...
                    X