July 6, 2007 7:36 AM PDT

SAP patches critical security flaws

Posted by Dawn Kawamoto

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

SAP has patched highly critical security flaws in EnjoySAP and SAP Web Application Server, as well as moderate vulnerabilities in its SAP Message Server, according to security advisories issued Friday by Mark Litchfield of Next Generation Security Software.

Security flaws in EnjoySAP were found due to ActiveX controls "kweditcontrol.kwedit.1" and "preparetopostHTML," which could allow a buffer overflow attack and remote access to users' systems, according to Litchfield, who discovered the flaws.

EnjoySAP is one of the more popular SAP GUIs, noted Litchfield in his advisory, which stated all platforms are affected.

SAP Web Application Server's Internet Communication Manager running on Windows was also found to have highly critical security flaws, according to the advisory. The ICM allows communication between the SAP Web Application Server and HTTP, HTTPS and SMTP protocols.

But an error in the Internet Communication Manager's ICMAN.exe component can be exploited, leading to a denial-of-service attack.

"This is a very effective denial-of-service attack within a SAP environment," Litchfield stated in his advisory.

A more moderate security flaw was found in SAP Message Server running on all platforms, which can be exploited when a boundary error occurs during processing of HTTP requests. That can lead to a buffer overflow attack and remote execution of arbitrary code, according to NGSS' advisory.

Topics:: Security

Tags:: SAP,; EnjoySAP,; SAP Web Application Server,; SAP Message Server

Bookmark:: Digg; Del.icio.us; Reddit

News Blog topics

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Tech stocks tumble for a second straight day
The Dow Jones industrial average takes another wild ride, marking a second consecutive day it has ended the session below 10,000.
Gallery
Photos: Messenger returns to Mercury
News - Apple
Another iPhone bug?
Security conscious 12-year-old discovers new security hole in iPhone that allows people to see incoming text messages even when the passcode lock is enabled.
News - Microsoft
Microsoft search results land inside Facebook
As part of a deal announced in July that resulted from an investment, users can now do Web searches using Microsoft's engine without leaving the social-networking site.
Video
Mercury exposed
CNET News Daily Podcast
CNET News Daily Podcast: Subway cards now easily hackable
Protecting yourself from subway card hacks; a possible battery change for Apple's iPhone; and corporate restructuring at AMD.
Video
DIY political ads proliferate
News - Politics and Law
CBS live Webcast: Presidential debate, round two
Continuing our coverage of Election 2008, CBS News and CNET are presenting a live Webcast of Tuesday's presidential debate, followed by Web-only analysis and commentary.
News - Cutting Edge
Astronaut training awaits Esther Dyson
The tech pundit and investor is girding for six months of training at Russia's Star City, as an understudy to International Space Station-bound Charles Simonyi.
Gallery
Photos: Top 10 reviews of the week
Crave
Calculator sneaks in a spy camera
A small camera is built into the side of the calculator, so you can pretend to be punching in figures while you're actually recording a clip of your office nemesis.
Green Tech
Army plans 500-megawatt solar thermal farm
A new Army energy strategy includes plans for what could become the world's largest solar thermal farm, as well as geothermal and biomass-to-fuel projects.