Re: SAP

[Alex Alex <mis2ndg () yahoo com>]

In-Reply-To: <20020323184216.76962.qmail () web13803 mail yahoo com>

The ITS is a Service that let users access to an
R/3 resource using a standard browser.
There are two main components, the wgate that 
intercept the html requests and passes them to the 
agate that make the translation from html to RFC for 
the specified R/3 system.
You can find the agate and wgate on the same 
machine or tipically the wgate in DMZ and the agate 
in the local lan (more secure).

The wgate is a simple web server (iis or apache, 
netscape etc..), while only recently the agate has 
been released also for linux. 

You can focus on the security of the wgate, after this 
you can focus on the transaction, i've found several  
ITS without https session enabled.
You could demonstrate insecurity of the service (not 
encrypted using arp spoofing).
I'm not a good code analyser but i could suggest you 
to analyse the heavy cookie usage by the application.

On the ITS you can load several different custom 
services exported by the R/3 system using IACOR 
that are the templates that let you access different 
services on the R/3.

Consider also to read the good manual shipped with 
the installation files.

I would be interested in the result of your test.

Good Luck.

--Alex

mis2ndg () yahoo com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/