[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions
From: Onapsis Research Labs <research@xxxxxxxxxxx>
Date: Wed, 27 Jul 2011 23:13:39 -0700

Dear colleague,

We are happy to announce the fourth issue of the Onapsis SAP Security In-Depth 
publication.

Onapsis' SAP Security In-Depth is a free technical publication leaded by the 
Onapsis Research Labs with the purpose of providing specialized
information about the current and future risks in the SAP security field, 
allowing all the different actors (financial managers, information security
managers, SAP administrators, auditors, consultants and the general 
professional community) to better understand the involved risks  and the
techniques and tools available to assess and mitigate them.

In this edition: "The Invoker Servlet: A Dangerous Detour into SAP Java 
Solutions", by Mariano Nuñez Di Croce and Jordan Santarsieri.

"SAP Application Servers Java, supported by the J2EE Engine, serve as the base 
framework for running critical solutions such as the SAP Enterprise
Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP 
Mobile Infrastructure (MI). Furthermore, customers can also deploy
their own custom Java applications over these platforms.

On December 2010, SAP released an important white-paper describing how to 
protect against common attacks to these applications. Among the security
concepts detailed, there was one that was particularly critical: the Invoker 
Servlet. This functionality introduces several threats to SAP platforms,
such as the possibility of completely bypassing the authentication and 
authorization mechanisms.

This publication analyzes the Invoker Servlet Detour attack, identifying the 
root cause of this threat, how to verify whether your platform is exposed
and how to mitigate it, effectively protecting your business-critical 
information against cyber attacks."

The full publication can be downloaded from 
http://www.onapsis.com/resources/get.php?resid=ssid04

We hope you enjoy this new issue!

Kindest regards,

P.S: We are sponsoring BlackHat USA this year, so don't hesitate to come and 
chat with us at our Booth #706!

-- 
--------------------------------------------
The Onapsis Research Labs Team

Onapsis S.R.L
Email: research@xxxxxxxxxxx
Web: www.onapsis.com
PGP: http://www.onapsis.com/pgp/research.asc
--------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] TeamSHATTER Security Advisory: Oracle Enterprise Manager vulnerable to XSS (metricDetail$type page)
Next by Date: Re: [Full-disclosure] [BMSA-2009-07] Backdoor in PyForum
Previous by thread: [Full-disclosure] TeamSHATTER Security Advisory: Oracle Enterprise Manager vulnerable to XSS (metricDetail$type page)
Next by thread: [Full-disclosure] Two security issues fixed in ioQuake3 engine
Index(es):
- Date
- Thread