lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 11 Feb 2010 11:47:58 -0400
From: Rosa Maria Gonzalez Pereira <analuis13@...mail.com>
To: <research@...psis.com>, <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Onapsis Security Advisory 2010-004] SAP J2EE
 Authentication Phishing Vector






Que hago con estos emails, ya tengo miles...


__________________________________________________________________



> Date: Thu, 11 Feb 2010 12:17:04 -0200
> From: research@...psis.com
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] [Onapsis Security Advisory 2010-004] SAP J2EE Authentication Phishing Vector
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Onapsis Security Advisory 2010-004: SAP J2EE Authentication Phishing Vector
> 
> This advisory can be downloaded from http://www.onapsis.com/research.html.
> By downloading this advisory from the Onapsis Resource Center, you will
> gain access to beforehand information on upcoming advisories, presentations
> and new research projects from the Onapsis Research Labs.
> 
> 
> 1. Impact on Business
> =====================
> 
> By exploiting this vulnerability, an internal or external attacker would
> be able perform attacks on the Organization's users through weaknesses
> in the
> SAP system.
> 
> An attacker would send specially crafted emails to users of the
> Organization's SAP system. After they have been successfully
> authenticated by the
> application, they would be redirected to an attacker's controlled web
> site where he would be able to perform different attacks over their systems
> and/or trick them into providing sensitive information.
> 
> - - Risk Level: Medium
> 
> 
> 2. Advisory Information
> =======================
> 
> - - Release Date: 2010-02-10
> 
> - - Last Revised: 2010-02-10
> 
> - - Security Advisory ID: ONAPSIS-2010-004
> 
> - - Onapsis SVS ID: ONAPSIS-000005
> 
> - - Researcher: Mariano Nuñez Di Croce
> 
> 
> 3. Vulnerability Information
> ============================
> 
> - - Vendor: SAP
> 
> - - Affected Components:
> 	
> 	. SAP JAVA CORE 6.40 < SP26
> 	. SAP JAVA CORE 7.00 < SP02
> 	. SAP JAVA CORE 7.01 < SP07
> 	. SAP JAVA CORE 7.02 < SP03
> 
> - - Vulnerability Class: Phishing Vector
> 
> - - Remotely Exploitable: Yes
> 
> - - Locally Exploitable: Yes
> 
> - - Authentication Required: No
> 
> 
> 4. Affected Components Description
> ==================================
> 
> The SAP J2EE Engine is a key component of the SAP NetWeaver application
> platform, which enables the development and execution of Java solutions
> in SAP
> landscapes.
> 
> The J2EE Engine is the component on which, for example, the SAP
> Enterprise Portal solution is built and executed.
> 
> 
> 5. Vulnerability Details
> ========================
> 
> The Authentication mechanism of the SAP J2EE Engine (which is shared by
> the Enterprise Portal and other solutions) suffers from a phishing vector
> vulnerability, which may allow a remote attacker to perform different
> attacks to the organization's SAP users.
> 
> Onapsis is not distributing technical details about this issue to the
> general public at this moment in order to provide enough time to affected
> customers to patch their systems and protect against the exploitation of
> the described vulnerability.
> 
> 
> 6. Solution
> ===========
> 
> SAP has released SAP Note 1175239, which provides a patched version of
> the affected components.
> 
> This patch can be downloaded from
> https://service.sap.com/sap/support/notes/1175239 .
> 
> Onapsis strongly recommends SAP customers to download the related
> security fix and apply it to the affected components in order to reduce
> business risks.
> 
> 
> 7. Report Timeline
> ==================
> 
> 	. 2009-11-24: Onapsis provides vulnerability information to SAP.
> 	. 2009-11-24: SAP confirms reception of vulnerability submission.
> 	. 2010-02-09: SAP releases security patch.
> 	. 2010-02-10: Onapsis releases security advisory.
> 
> 
> 8. About Onapsis Research Labs
> ==============================
> 
> Onapsis is continuously investing resources in the research of the
> security of business critical systems and applications.
> 
> With that objective in mind, a special unit ? the Onapsis Research Labs
> ? has been developed since the creation of the company. The experts involved
> in this special team lead the public research trends in this matter,
> having discovered and published many of the public security
> vulnerabilities in
> these platforms.
> 
> The outcome of this advanced and cutting-edge research is continuously
> provided to the Onapsis Consulting and Development teams, improving the
> quality
> of our solutions and enabling our customers to be protected from the
> latest risks to their critical business information.
> 
> Furthermore, the results of this research projects are usually shared
> with the general security and professional community, encouraging the
> sharing of
> information and increasing the common knowledge in this field.
> 
> 
> 9. About Onapsis
> ================
> 
> Onapsis is the leading provider of solutions for the security of
> business-critical systems and applications.
> 
> Through different innovative products and services, Onapsis helps its
> global customers to effectively increase the security level of their core
> business platforms, protecting their information and decreasing
> financial fraud risks.
> 
> Onapsis is built upon a team of world-renowned experts in the SAP
> security field, with several years of experience in the assessment and
> protection of
> critical platforms in world-wide customers, such as Fortune-500
> companies and governmental entities.
> 
> Some of our featured services include SAP Penetration Testing, SAP
> Gateway & RFC security, SAP Enterprise Portal security assessment,
> Security Support
> for SAP Implementations and Upgrades, SAP System Hardening and SAP
> Technical Security Audits.
> 
> For further information about our solutions, please contact us at
> info@...psis.com and visit our website at www.onapsis.com.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkt0EWAACgkQz3i6WNVBcDUF4QCfWS2QfjR3IiZl1jGmXr5xKsLG
> wZQAoOOSG/YxJxShy6Hlv6dyemGo8M3q
> =Ot1u
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
 		 	   		  
_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ