Re: SAP

From: Alex Alex (mis2ndg@yahoo.com)
Date: 03/25/02 

Date: 25 Mar 2002 14:46:49 -0000
From: Alex Alex <mis2ndg@yahoo.com>
To: pen-test@securityfocus.com
('binary' encoding is not supported, stored as-is)

In-Reply-To: <20020323184216.76962.qmail@web13803.mail.yahoo.com>

The ITS is a Service that let users access to an
R/3 resource using a standard browser.
There are two main components, the wgate that
intercept the html requests and passes them to the
agate that make the translation from html to RFC for
the specified R/3 system.
You can find the agate and wgate on the same
machine or tipically the wgate in DMZ and the agate
in the local lan (more secure).

The wgate is a simple web server (iis or apache,
netscape etc..), while only recently the agate has
been released also for linux.

You can focus on the security of the wgate, after this
you can focus on the transaction, i've found several
ITS without https session enabled.
You could demonstrate insecurity of the service (not
encrypted using arp spoofing).
I'm not a good code analyser but i could suggest you
to analyse the heavy cookie usage by the application.

On the ITS you can load several different custom
services exported by the R/3 system using IACOR
that are the templates that let you access different
services on the R/3.

Consider also to read the good manual shipped with
the installation files.

I would be interested in the result of your test.

Good Luck.

--Alex

mis2ndg@yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/