Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

[ERPSCAN-11-041] SAP NetWeaver – Authentication bypass (Verb Tampering)

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver
Vendor URL: http://www.sap.com
Bugs:Auth bypass, Verb tampering
Exploits: YES
Reported: 14.03.2011
Vendor response:15.03.2011
Date of Public Advisory:11.11.2011
CVSS: 10 by ERPSCAN (7.3 by SAP)
Author:Alexandr Polyakov

Description
Authentication bypass vulnerability in SAP NetWeaver CTC service can be exploited for unauthorized user management and OS command execution.

Business Risk
An attacker can bypass authorization restrictions of SAP J2EE engine and execute different attacks.

Defense

To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: