('binary' encoding is not supported, stored as-is) In-Reply-To: <20020323184216.76962.qmailat_private> The ITS is a Service that let users access to an R/3 resource using a standard browser. There are two main components, the wgate that intercept the html requests and passes them to the agate that make the translation from html to RFC for the specified R/3 system. You can find the agate and wgate on the same machine or tipically the wgate in DMZ and the agate in the local lan (more secure). The wgate is a simple web server (iis or apache, netscape etc..), while only recently the agate has been released also for linux. You can focus on the security of the wgate, after this you can focus on the transaction, i've found several ITS without https session enabled. You could demonstrate insecurity of the service (not encrypted using arp spoofing). I'm not a good code analyser but i could suggest you to analyse the heavy cookie usage by the application. On the ITS you can load several different custom services exported by the R/3 system using IACOR that are the templates that let you access different services on the R/3. Consider also to read the good manual shipped with the installation files. I would be interested in the result of your test. Good Luck. --Alex mis2ndgat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Mar 25 2002 - 07:41:12 PST