Security hole

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

TestMangler replied

28 July 2011, 20:17
Originally posted by eek

Nothing there that some rohypnol would not solve.

Too unsubtle.

I prefer the old "Does this hanky smell of chloroform to you ?"
Leave a comment:
suityou01 replied

28 July 2011, 20:16
Originally posted by NotAllThere View Post

It's been known about for ten years at least...

You didn't know about it.
Leave a comment:
NotAllThere replied

28 July 2011, 20:12
Originally posted by d000hg View Post

Agreed in general, but finding a hole and publishing it on the WWW is not the right approach because even if the author fixes it immediately, it could take a while to propagate. Better to inform the vendor first, and let them know you will go public in the near future.

It's been known about for ten years at least...
Leave a comment:
TestMangler replied

28 July 2011, 20:03
Damn, I thought this was another discussion about CM's dislike of anal sex
Leave a comment:
d000hg replied

28 July 2011, 19:50
Originally posted by NotAllThere View Post

Security by obscurity is no security at all. Security holes should be published and fixed. This ones been around for years but not been addressed. It's a general principle in the security industry that you talk about weaknesses, so they can be fixed.

Agreed in general, but finding a hole and publishing it on the WWW is not the right approach because even if the author fixes it immediately, it could take a while to propagate. Better to inform the vendor first, and let them know you will go public in the near future.
Leave a comment:
suityou01 replied

28 July 2011, 19:47
Originally posted by NotAllThere View Post

How do you know no-one knows. You don't. People who wish to exploit it won't want to tell. Google "bike lock bic pen"

The avalanche has already started. It is too late for the pebbles to vote

Yeah well they know now don't they gobby

he he he
Leave a comment:
NotAllThere replied

28 July 2011, 19:40
Originally posted by suityou01 View Post

And a security hole no one knows exists?

How do you know no-one knows. You don't. People who wish to exploit it won't want to tell. Google "bike lock bic pen"

Originally posted by AtW View Post

There is a hole in your mind...

The avalanche has already started. It is too late for the pebbles to vote
Leave a comment:
AtW replied

28 July 2011, 18:39
Originally posted by suityou01 View Post

And a security hole no one knows exists?

There is a hole in your mind...
Leave a comment:
suityou01 replied

28 July 2011, 18:33
Originally posted by NotAllThere View Post

Security by obscurity is no security at all.

And a security hole no one knows exists?
Leave a comment:
NotAllThere replied

28 July 2011, 18:00
Originally posted by suityou01 View Post

And now it's public

Security by obscurity is no security at all. Security holes should be published and fixed. This ones been around for years but not been addressed. It's a general principle in the security industry that you talk about weaknesses, so they can be fixed.

Originally posted by minestrone View Post

If they had the right userid and password what is the problem?

Programs in SAP are developed on a development box, moved to a test box, and when all is well, moved to a live box. There should be no way of writing arbitary programs directly in a live system.

The third party tool is designed to read data from a SAP system. The userid and password are restricted to only run code in this particular function group. But one of the components of the group allows the user to write and run a program on the fly. Hence a userid that's supposed to be read only suddenly has all power. The system is wide open. Knowing the userid and password, I can write a program in .net or a development SAP system or whatever, that injects abap code into a live SAP system to fund my pension plan, for example. Or read confidential information for later publication.

Later versions of the function group may be ok, but this particular code is outside of SAPs normal support package/note/patch procedures. It is entirely likely that there are customers who are running older versions, which most definitely are insecure. I was asked, just yesterday, to install one, so this is not a theoretical issue.

(The product manager swore blind that the code we had hadn't originated from SAP, until I sent him the file containing it...).
Leave a comment:
suityou01 replied

28 July 2011, 17:52
Originally posted by minestrone View Post

If they had the right userid and password what is the problem?

Does this mean the user id and password is hard coded?
Leave a comment:
minestrone replied

28 July 2011, 17:48
Originally posted by NotAllThere View Post

Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).

If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.

If they had the right userid and password what is the problem?
Leave a comment:
suityou01 replied

28 July 2011, 17:44
Originally posted by NotAllThere View Post

Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).

If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.

And now it's public
Leave a comment:
NotAllThere started a topic Security hole

28 July 2011, 17:23
Security hole

Found a hole in some SAP supplied software today, that would allow someone with the right userid and password to inject code into a live system to do whatever they wanted. (The original code came from a third party that was bought out by another third party, before SAP bought it, which is partly why it's still in the customer namespace).

If you've got function group ZAW0 installed, run it through a source code review at the earliest opportunity.
Tags: None