SAP users warned of potential app vulnerabilities
25 July 2017 | 0
SAP users have been warned that the vendor’s Web-based e-recruiting applications could be exposed to cyber security breaches.
The caution comes as security provider Bowbridge Software – a long-time alliance partner of SAP – selected 120 businesses using SAP’s e-recruiting software to run random tests to see if proper security measures were being adopted to protect the application.
One of the critical findings was that 52% of the systems tested did not prevent the upload of malware, with three critical areas tested: transport layer security, registration process, and uploading of attachments.
E-recruiting collects personal data by default, with the study revealing that 81% of the implementations tested defaulted to the use of SSL encryption. However, more than 30% of tested sites allowed SSL encryption to be bypassed by simply changing the URL protocol from https:// to http://.
Delving deeper, less than 12% of systems tested required users to confirm the e-mail address, making such portals easy targets, while a total of 38% of systems required the passwords to meet minimum requirements for length or complexity.
Almost 60% of systems notified users of restrictions on the types of files allowed to be uploaded and some 30% of the portals did not implement any filtering or restrictions whatsoever on the types of files accepted by the application.
According to findings, this means that a third of applications and its users are exposed to a wide range of file-based threats.
“More than 60% of the systems we tested allowed uploading of arbitrary files as soon as the extension was changed to one on the list of allowed extensions,” the report stated.
Furthermore, systems were also found to allow the upload of Java Archives (.jar files), Flash, Silverlight, Office documents with macros in the old format (CDF, preOffice 2007) and documents with macros in the new format (OOXML).
Systems that allowed the uploading of Windows executable (.exe) files totalled 29% and more than 30% allowed DOS executables (.com) files and shared libraries (.dll) to be uploaded to the SAP data store – the list also includes PDF files, XML and XSLT, and more.
“While we only tested the E-Recruiting application, these results can certainly be applied to any Web-based SAP application that companies are using,” Bowbridge CTO Jörg Schneider-Simon said. “By failing to secure their SAP applications, businesses are taking an enormous risk not only with their data, but with their very future.”
Schneider-Simon assured customers that all tests were completely non-intrusive.
“No attack scripts were used, no real malware was uploaded to any target system, and any test files that were uploaded were also removed from systems,” Schneider-Simon explained. “In systems where a candidate registration was required, the dummy candidate profiles (‘John Doe’) were deleted after the tests were completed, if the system allowed it.”
IDG News Service