Menu
SAP users warned of potential app vulnerabilities

SAP users warned of potential app vulnerabilities

E-Recruiting web applications vulnerabilities revealed

SAP users have been warned that the vendor's web-based e-recruiting applications could be exposed to cyber security breaches.

The caution comes as security provider Bowbridge Software - a long-time alliance partner of SAP - selected 120 businesses using SAP E-Recruiting application to run random tests to see if proper security measures were being adopted to protect the application.

One of the critical findings was that 52 per cent of the systems tested did not prevent the upload of malware, with three critical areas tested: transport layer security; registration process and uploading of attachments.

E-recruiting collects personal data by default, with the study revealing that 81 per cent of the implementations we tested did default to the use of SSL encryption. However, over 30 per cent of the tested sites allowed SSL encryption to be bypassed by simply changing the URL protocol from https:// to http://.

Delving deeper, less than 12 per cent of the systems tested required users to confirm the email address, making such portals easy targets, while a total of 38 per cent of the systems required the passwords to meet minimum requirements for length or complexity.

Almost 60 per cent of the systems notified users of restrictions on the types of files allowed to be uploaded and some 30 per cent of the portals did not implement any filtering or restrictions whatsoever on the types of files accepted by the application.

According to findings, this means that a third of applications and its users are exposed to a wide range of file-based threats.

"More than 60 per cent of the systems we tested allowed uploading of arbitrary files as soon as the extension was changed to one on the list of allowed extensions," the report stated.

Breaches through the upload of HTML with embedded JavaScript were also revealed, with 31 per cent of the systems allowing the upload of plain JavaScript files.

Furthermore, systems were also found to allow the upload of Java Archives (.jar files), Flash, Silverlight, Office documents with macros in the old format (CDF, preOffice 2007) and documents with macros in the new format (OOXML).

Systems that allowed the uploading of Windows executable (.exe) files totalled 29 per cent and over 30 per cent allowed DOS executables (.com) files and shared libraries (.dll) to be uploaded to the SAP data store - the list also includes PDF files, XML and XSLT, and more.

“While we only tested the E-Recruiting application, these results can certainly be applied to any web-based SAP application that companies are using,” Bowbridge CTO Jörg Schneider-Simon said. “By failing to secure their SAP applications, businesses are taking an enormous risk not only with their data, but with their very future.”

Schneider-Simon assured customers that all tests were completely non-intrusive.

"No attack scripts were used, no real malware was uploaded to any target system, and any test files that were uploaded were also removed from systems," Schneider-Simon explained. "In systems where a candidate registration was required, the dummy candidate profiles (“John Doe”) were deleted after the tests were completed, if the system allowed it."

SAP recommends all its customers to securely configure their systems and implement SAP security patches as soon as they are available.

The German software vendor said during its Leonardo Live event that its AI efforts, still at an early stage, can probably automate 40 percent of the jobs today across the globe.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securitysoftwareSAPcybersecuritycyberthreatbowbridge

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments