A flaw in a component of SAP's business software could expose sensitive information on corporate networks, security researchers warned Monday. The bug, which allows unintended access to data on the server running the software, lies in the Internet Graphics Server in SAP's R/3, according to Corsaire, the British security company that discovered the flaw. Security monitoring company Secunia rates the issue "moderately critical." The U.K. National Infrastructure Security Co-ordination Centre said in an advisory that the issue poses a "high" risk.
SAP's R/3 is used by organizations to carry out accounting, human resources and other corporate tasks. The IGS component has Web server functionality that does not validate information passed to it, according to Corsaire. As a result, it is possible to access data on the system that runs IGS beyond that meant to be available, Corsaire said. SAP has fixed the issue in version 6.40 patch 11 or later, according to Secunia.