(LiveHacking.Com) – Alexander Polyakov of ERPScan has demonstrated a security hole in SAP’s J2EE engine, NetWeaver at BlackHat USA 2011. Once exploited an attacker can create new administrator accounts remotely.
This new vulnerability is particularly dangerous because it works on systems normally protected by two-factor authentication and by passes these completely. According to ERPScan, more than half of available servers on the Internet can be hacked using this vulnerability.
“Danger is in that it is not only a new vulnerability, but a whole class of vulnerabilities that was theoretically described earlier but not popular in practice. During our research we only detected several examples in standard system configuration, and because each company customizes the system under its own business processes, new examples of vulnerabilities of the given class can be potentially detected at each company in the future. We have developed a free program which can detect unique vulnerabilities of such type in order to protect companies on time and it is also included in our professional product – ERPScan Security Scanner for SAP.” — noted Alexander.