Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Agreed in general, but finding a hole and publishing it on the WWW is not the right approach because even if the author fixes it immediately, it could take a while to propagate. Better to inform the vendor first, and let them know you will go public in the near future.
Security by obscurity is no security at all. Security holes should be published and fixed. This ones been around for years but not been addressed. It's a general principle in the security industry that you talk about weaknesses, so they can be fixed.
Agreed in general, but finding a hole and publishing it on the WWW is not the right approach because even if the author fixes it immediately, it could take a while to propagate. Better to inform the vendor first, and let them know you will go public in the near future.
Security by obscurity is no security at all. Security holes should be published and fixed. This ones been around for years but not been addressed. It's a general principle in the security industry that you talk about weaknesses, so they can be fixed.
If they had the right userid and password what is the problem?
Programs in SAP are developed on a development box, moved to a test box, and when all is well, moved to a live box. There should be no way of writing arbitary programs directly in a live system.
The third party tool is designed to read data from a SAP system. The userid and password are restricted to only run code in this particular function group. But one of the components of the group allows the user to write and run a program on the fly. Hence a userid that's supposed to be read only suddenly has all power. The system is wide open. Knowing the userid and password, I can write a program in .net or a development SAP system or whatever, that injects abap code into a live SAP system to fund my pension plan, for example. Or read confidential information for later publication.
Later versions of the function group may be ok, but this particular code is outside of SAPs normal support package/note/patch procedures. It is entirely likely that there are customers who are running older versions, which most definitely are insecure. I was asked, just yesterday, to install one, so this is not a theoretical issue.
(The product manager swore blind that the code we had hadn't originated from SAP, until I sent him the file containing it...).
Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).
If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.
If they had the right userid and password what is the problem?
Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).
If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.
Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).
If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.
Leave a comment: