Menu
SAP users warned of potential app vulnerabilities

SAP users warned of potential app vulnerabilities

E-Recruiting web applications vulnerabilities revealed

SAP users have been warned that the vendor's web-based e-recruiting applications could be exposed to cyber security breaches.

The caution comes as security provider Bowbridge Software - a long-time alliance partner of SAP - selected 120 businesses using SAP E-Recruiting application to run random tests to see if proper security measures were being adopted to protect the application.

One of the critical findings was that 52 per cent of the systems tested did not prevent the upload of malware, with three critical areas tested: transport layer security; registration process and uploading of attachments.

E-recruiting collects personal data by default, with the study revealing that 81 per cent of the implementations we tested did default to the use of SSL encryption. However, over 30 per cent of the tested sites allowed SSL encryption to be bypassed by simply changing the URL protocol from https:// to http://.

Delving deeper, less than 12 per cent of the systems tested required users to confirm the email address, making such portals easy targets, while a total of 38 per cent of the systems required the passwords to meet minimum requirements for length or complexity.

Almost 60 per cent of the systems notified users of restrictions on the types of files allowed to be uploaded and some 30 per cent of the portals did not implement any filtering or restrictions whatsoever on the types of files accepted by the application.

According to findings, this means that a third of applications and its users are exposed to a wide range of file-based threats.

"More than 60 per cent of the systems we tested allowed uploading of arbitrary files as soon as the extension was changed to one on the list of allowed extensions," the report stated.

Breaches through the upload of HTML with embedded JavaScript were also revealed, with 31 per cent of the systems allowing the upload of plain JavaScript files.

Furthermore, systems were also found to allow the upload of Java Archives (.jar files), Flash, Silverlight, Office documents with macros in the old format (CDF, preOffice 2007) and documents with macros in the new format (OOXML).

Systems that allowed the uploading of Windows executable (.exe) files totalled 29 per cent and over 30 per cent allowed DOS executables (.com) files and shared libraries (.dll) to be uploaded to the SAP data store - the list also includes PDF files, XML and XSLT, and more.

“While we only tested the E-Recruiting application, these results can certainly be applied to any web-based SAP application that companies are using,” Bowbridge CTO Jörg Schneider-Simon said. “By failing to secure their SAP applications, businesses are taking an enormous risk not only with their data, but with their very future.”

Schneider-Simon assured customers that all tests were completely non-intrusive.

"No attack scripts were used, no real malware was uploaded to any target system, and any test files that were uploaded were also removed from systems," Schneider-Simon explained. "In systems where a candidate registration was required, the dummy candidate profiles (“John Doe”) were deleted after the tests were completed, if the system allowed it."

SAP recommends all its customers to securely configure their systems and implement SAP security patches as soon as they are available.

The German software vendor said during its Leonardo Live event that its AI efforts, still at an early stage, can probably automate 40 percent of the jobs today across the globe.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags softwareSAPcyberthreatbowbridge

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments