Hello dear colleagues. You are absolutely right that SAP have OSS note about that issue but the problem is much deeper and the typical issues can be potentially founded in other applications that fail to properly restrict all HTTP methods. Also WEB.XML files contain different security options that must be configured. Thatu2019s why we created a free tool for helping administrators to deal with all that problems.<br><br> Tool called ERPScan WEBXML checker and can be used for checking SAP's or custom J2EE applications for different misconfigurations. You can fill a form here to request this tool. http://erpscan.com/products/erpscan-webxml-checker/

Hi Alexander,

We live on a small planet : it's fun to see, you, the discoverer of the vulnerabilities answer my thread about your article.

Regards,

Olivier

Yes, the world is small so one must be very carefull and patch regularly..

Note that the SDN Security Forum is not "about" 0-day hacks or using vulnerabilities to promote tools via "panic" reactions. It is about improving security in a sustainable way, ideally from the source.

Sometimes "sources" need a little push, but from my experiences SAP takes security very seriously and there are also many considerations involved...

Certainly endangering customer installations or degradation of trust in the security options already available does not serve any purpose.

Cheers,

Julius

Please see --> [AD-HOC SAP PRODUCT SECURITY NOTIFICATION|http://www28.sap.com/mk/get/G_11_SEC_UPD_AUG]

If you have external facing portals or PI/XI systems then you should patch them as soon as possible.

Important is [SAP Note 1624450|https://service.sap.com/sap/support/notes/1624450].

Cheers,

Julius

Edited by: Julius Bussche on Aug 26, 2011 12:30 PM