http://www.infoworld.com/d/security-central/fixing-the-back-door-sap-oracle-security-hole-096 By Jeremy Kirk IDG News Service April 09, 2010 At the Black Hat security conference next week, one presentation will focus on a way to insert a back door into SAP's ERP (enterprise resource planning) applications. SAP's business software is often the core of a company's operations and is used to manage invoicing, human resources, procurement, and billing, among many other functions. SAP's software uses databases from companies such as Oracle, said Mariano Nuez Di Croce, director of research and development for Onapsis, a company that focuses on penetration testing for SAP systems and others such as Oracle's PeopleSoft and JD Edwards enterprise applications. Many companies do not configure the Oracle database correctly, which makes the SAP system vulnerable to attack. "What we have found is, it is possible instead of modifying the program you can connect to the database and modify the code directly in the database," Nuez Di Croce said. The problem with SAP and the Oracle database has been known for a few years, although Nuez Di Croce recently figured out how to slip a "back door" into a program in the database that can then send data to a remote hacker. Because the Oracle database does not conduct an integrity check of the source code, the attack would be difficult to detect. [...] ___________________________________________________________ Register now for HITBSecConf2010 - Dubai, the premier deep-knowledge network security event in the GCC, featuring keynote speakers John Viega and Matt Watchinski! http://conference.hitb.org/hitbsecconf2010dxb/Received on Sun Apr 11 2010 - 22:24:23 PDT
This archive was generated by hypermail 2.2.0 : Sun Apr 11 2010 - 22:34:56 PDT