Re: SAP R/3 default password vulnerability

[John Eisenschmidt <jweisen () eisenschmidt org>]

If I might be so bold, but this seems to go on all the time.

We use a Contact Relationship Management (CRM) packare from e.Piphany called ActiveSales (or e.Piphany Sales or eSales, 
whatever it is this week) that has a front end client and a repository independant back end database (Access, SQL 
Server, Oracle, DB2, anything that is ODBC compliant). The app logs into the database as a single super user. While you 
*can* change the out of the box password, it's a pain, and my guess is that 90%+ of their clients have not.

The same goes for Lawson Financials. Although it does support using the embedded database security, we've found that 
support is more difficult to get from them since the CIA is the only other customer that seems to be using it this way.

Most business applications these days rely on a 3rd party RDBMS to store their data, and most of them (even SQL Server, 
if done correctly) have security models that are sound, clean, and granular. However, what most developers seem to do 
is create a single users with dba rights that owns and operates on all their data, so they only have to deal with the 
implications of their code, and now what the database might and might not let them do. 

One could argue that the use of a directory service can make this simpler, and it does, but not much. In Oracle, one 
can identify a user externally, meaning that their account information is stored outside Oracle, but their rights are 
still in the data dictionary. That means that I still need to give them the appropriate rights to objects in the 
database.

In my opinion (and we know how much that counts), all the mid-tier apps I've seen take little or no advantage of the 
database engine people pay to store their data. Security (and performance) can best be served though stored procedures 
and embedded database security. 

Thoughts?

Thanks,
John

Unless the Voices are Mistaken, Stefan Hoelzner (shoelzner () cityweb de) Wrote:
> SAP R/3 default password vulnerability
>
> Summary
> =======
> SAP R/3 ships with four default user accounts that are protected with commonly known passwords. These user accounts 
> are equipped with super- or power user access rights. 

-- 
John W. Eisenschmidt <jweisen () eisenschmidt org>
 Homepage URL    | http://www.eisenschmidt.org/jweisen
 GPG Public Key  | http://www.eisenschmidt.org/jweisen/misc/jeisenschmidt.asc
 GPG Fingerprint | 5F9B F916 5AD1 3295 CF99 BC1E 1F97 E6A3 37E3 BEF2

This mail is an attachment? Read http://www.jensbenecke.de/misc/outlook.en.html

"The motto was 'We Eat Our Young'" 
                -Marc Benioff, former Oracle Salesperson

Attachment: _bin
Description: