July 6, 2007 7:36 AM PDT

SAP patches critical security flaws

SAP has patched highly critical security flaws in EnjoySAP and SAP Web Application Server, as well as moderate vulnerabilities in its SAP Message Server, according to security advisories issued Friday by Mark Litchfield of Next Generation Security Software.

Security flaws in EnjoySAP were found due to ActiveX controls "kweditcontrol.kwedit.1" and "preparetopostHTML," which could allow a buffer overflow attack and remote access to users' systems, according to Litchfield, who discovered the flaws.

EnjoySAP is one of the more popular SAP GUIs, noted Litchfield in his advisory, which stated all platforms are affected.

SAP Web Application Server's Internet Communication Manager running on Windows was also found to have highly critical security flaws, according to the advisory. The ICM allows communication between the SAP Web Application Server and HTTP, HTTPS and SMTP protocols.

But an error in the Internet Communication Manager's ICMAN.exe component can be exploited, leading to a denial-of-service attack.

"This is a very effective denial-of-service attack within a SAP environment," Litchfield stated in his advisory.

A more moderate security flaw was found in SAP Message Server running on all platforms, which can be exploited when a boundary error occurs during processing of HTTP requests. That can lead to a buffer overflow attack and remote execution of arbitrary code, according to NGSS' advisory.

Dawn Kawamoto covers enterprise security and financial news relating to technology for CNET News. E-mail Dawn.

Topics:: Security

Tags:: SAP,; EnjoySAP,; SAP Web Application Server,; SAP Message Server

Share:: Digg; Del.icio.us; Reddit; Facebook; Twitter

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

Inside CNET News

Scroll Left Scroll Right

Nanotech - The Circuits Blog
Snapdragon chip powers itself into Nexus One
Qualcomm's processor is part of Google's unveiling just 12 hours after making the leap to a Lenovo laptop.
Gallery
Unboxing the Nexus One (photos)
Apple
Apple acquires Quattro Wireless
It's official. The acquisition of the mobile advertising company comes when Google--suddenly Apple's big rival in mobile--has made plans to acquire competitor AdMob.
Beyond Binary
Windows Mobile glitch dates 2010 texts 2016
Microsoft says it is working with mobile partners to fix a problem causing SMS messages sent after New Year's Day to appear as if they were sent from the future.
Video
Nexus One: The big reveal (video)
CNET News Daily Podcast
CNET News Daily Podcast: Google unveils its 'superphone'
We've got all the details you need to know about Google's new smartphone, the Nexus One; plus Apple makes a mobile ad acquisition and Microsoft sets Office 2010 pricing.
Video
Hands on with Google's Nexus One (video)
Technically Incorrect
'Kill Obama' Facebook group active for a month
A group whose name appeared to advocate the demise of the president survives on Facebook since November and is removed only after CNET draws Facebook's attention to it.
The Digital Home
NASA's Kepler finds five 'hot Jupiters'
After less than a year in operation, NASA's Kepler space telescope finds five new exoplanets in our galaxy. Unfortunately, none of them is habitable.
Gallery
Google unveils its 'super phone' (photos)
Android Atlas
Existing T-Mobile customers won't get the $180 price for the Nexus One
It turns out that if you're an existing T-Mobile customer interested in buying the new Nexus One, you won't be able to get it for $180 with a contract. Instead, you'll have to pay either $279 or $379.
2010 CES
Whirlpool, Direct Energy assemble home energy system
Will home networks get smart to energy management? Whirlpool and Direct Energy team with a display maker and Best Buy in a big to automate savings.