Hello all, Sorry, I just cannot ignore this bait... On Feb 20, 2011, at 10:32 PM, MustLive wrote: > But in my article I told about web applications. How much SAP is used in > Internet (or in Ethernet) web applications and does it have relations to web > application at all? Not too much. SAP offers multiple Web frameworks, e.g. SAP's BSP framework alone has 315.000 hits in Google: http://www.google.de/search?q=allinurl%3A%22%2Fsap%2Fbc%2Fbsp%22 Quantitatively, this is not much. However, if you look at the domains that run SAP web applications, you will learn that these web applications are run by the big fishes on the web. Furthermore, you can safely bet that on most Intranets of large organizations there are many SAP Web apps deployed. This "WebManager-Pro CMS" in which you found the SQL-Injection has 166.000 hits in Google, most of which are dealing with security bugs: http://www.google.de/search?q=WebManager-Pro Now what is relevant on the web again? >> Yep. And then open up the ABAP functions > > Sebastian and Mike, SAP application security is another field, so earlier, > before I found this hole last year, there was no (known) such attack vector > for web applications. And from time when I found this RCE hole in CMS > WebManager-Pro, the landscape of attack vectors for web applications have > increased and from that time there is one more variant of placing shells > (backdoors) at web sites. > > Which must be interesting for webappsec community. Especially for those who haven't worked with SAP ;-). - Interesting, yes. - New, no. - SAP is relevant on the web. You have found a nice SQL-Injection that is worth an advisory. It is *not* worth opening a new class of bugs. Cheers, Sebastian