[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Onapsis Research: SAP Security In-Depth Vol. I

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Onapsis Research: SAP Security In-Depth Vol. I
From: Onapsis Research <research@xxxxxxxxxxx>
Date: Wed, 25 Nov 2009 13:53:53 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear colleague,

The first volume of the Onapsis' SAP Security In-Depth publication has been 
released.

SAP Security In-Depth is a free technical publication leaded by the Onapsis 
Research Labs with the purpose of providing specialized information about
the current and future risks in the SAP security field, allowing all the 
different actors (financial managers, information security managers, SAP
administrators, auditors, consultants and the general professional community) 
to better understand the involved risks and the techniques and tools
available to assess and mitigate them.

In this edition: The risks of downwards compatibility.

"SAP has implemented different password hashing procedures along its history. 
While each new version has increased the security level of the hashing
scheme, some backward compatibility aspects not considered in the 
implementation phase may provide room for practical attacks over the users 
stored
credentials. Through the exploitation of these weaknesses, malicious attackers 
would be able to escalate privileges over vulnerable systems and
perform business processes on behalf other users. This volume details the 
evolution of the hashing mechanisms developed by SAP, analyzes the different
risks of attacks to this sensitive information and provides practical solutions 
to protect the companys SAP platform, effectively decreasing business
fraud risks."

The full publication can be downloaded from 
http://www.onapsis.com/resources/get.php?resid=ssid01

Best regards,

- --
- --------------------------------------------
The Onapsis Research Labs Team

Onapsis S.R.L
Email: research@xxxxxxxxxxx
Web: www.onapsis.com
PGP: http://www.onapsis.com/pgp/research.asc
- --------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksNYSEACgkQz3i6WNVBcDV2ZwCeJp5ANOboU9QZW9IAGsthbEHG
3wcAoNmm3ec2uoePamtdQ6oee14H7u4P
=gFFY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ GLSA 200911-05 ] Wireshark: Multiple vulnerabilities
Next by Date: Re: [Full-disclosure] Some shit going on in seclist
Previous by thread: [Full-disclosure] [ GLSA 200911-05 ] Wireshark: Multiple vulnerabilities
Next by thread: [Full-disclosure] nasty infection from following link if anyone is interested
Index(es):
- Date
- Thread