Re: SAP R/3 default password vulnerability
From: John Eisenschmidt (jweisen@eisenschmidt.org)Date: 08/27/02
- Previous message: Brian Taylor: "IE bug not fixed - update"
- In reply to: Stefan Hoelzner: "SAP R/3 default password vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Aug 2002 14:01:00 +0000 From: John Eisenschmidt <jweisen@eisenschmidt.org> To: bugtraq@securityfocus.com
If I might be so bold, but this seems to go on all the time.
We use a Contact Relationship Management (CRM) packare from e.Piphany called ActiveSales (or e.Piphany Sales or eSales, whatever it is this week) that has a front end client and a repository independant back end database (Access, SQL Server, Oracle, DB2, anything that is ODBC compliant). The app logs into the database as a single super user. While you *can* change the out of the box password, it's a pain, and my guess is that 90%+ of their clients have not.
The same goes for Lawson Financials. Although it does support using the embedded database security, we've found that support is more difficult to get from them since the CIA is the only other customer that seems to be using it this way.
Most business applications these days rely on a 3rd party RDBMS to store their data, and most of them (even SQL Server, if done correctly) have security models that are sound, clean, and granular. However, what most developers seem to do is create a single users with dba rights that owns and operates on all their data, so they only have to deal with the implications of their code, and now what the database might and might not let them do.
One could argue that the use of a directory service can make this simpler, and it does, but not much. In Oracle, one can identify a user externally, meaning that their account information is stored outside Oracle, but their rights are still in the data dictionary. That means that I still need to give them the appropriate rights to objects in the database.
In my opinion (and we know how much that counts), all the mid-tier apps I've seen take little or no advantage of the database engine people pay to store their data. Security (and performance) can best be served though stored procedures and embedded database security.
Thoughts?
Thanks,
John
Unless the Voices are Mistaken, Stefan Hoelzner (shoelzner@cityweb.de) Wrote:
>
>
> SAP R/3 default password vulnerability
>
> Summary
> =======
> SAP R/3 ships with four default user accounts that are protected with commonly known passwords. These user accounts are equipped with super- or power user access rights.
-- John W. Eisenschmidt <jweisen@eisenschmidt.org> Homepage URL | http://www.eisenschmidt.org/jweisen GPG Public Key | http://www.eisenschmidt.org/jweisen/misc/jeisenschmidt.asc GPG Fingerprint | 5F9B F916 5AD1 3295 CF99 BC1E 1F97 E6A3 37E3 BEF2This mail is an attachment? Read http://www.jensbenecke.de/misc/outlook.en.html
"The motto was 'We Eat Our Young'" -Marc Benioff, former Oracle Salesperson
- application/pgp-signature attachment: stored
- Previous message: Brian Taylor: "IE bug not fixed - update"
- In reply to: Stefan Hoelzner: "SAP R/3 default password vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
