In association with heise online

30 August 2006, 14:32

Critical hole in SAP database MaxDB

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A critical security hole in the SAP DB and MaxDB databases allows attackers to gain control over the service. MaxDB is the open source database for SAP systems like mySAP Business Suite and others. Its continued development has been handled by Mysql AB, and it has been certified by SAP. The flaw is located in the web management portion of the database's WebDBM, Symantec reports. Specially prepared HTTP requests with overlong database names can be used to plant code by provoking a buffer overflow, and then execute that code with the web server's rights (wahttp). No prior authentication is needed for this.

The flaw was found in MaxDB version 7.6.00.22, although previous versions are potentially also affected. The manufacturer has removed the hole in MaxDB 7.6.00.31. No update is available for SAP-DB, which is no longer under continued development, Symantec reports. The company recommends turning off the web service as a workaround.

See also:

(ehe)

Print Version | Send by email | Permalink: http://h-online.com/-731428
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit