exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CYBEC_Phishing_Vector_in_SAP_WAS.txt

CYBEC_Phishing_Vector_in_SAP_WAS.txt
Posted Nov 9, 2005
Authored by Leandro Meiners | Site cybsec.com

CYBSEC Security Advisory - SAP Web Application Server was found to provide a vector to allow Phishing scams against SAP WAS applications.

tags | advisory, web
SHA-256 | d679b2ae35b4059539a50600ff1f5c66f96cb13efa0db3a4425d7126af04c170

CYBEC_Phishing_Vector_in_SAP_WAS.txt

Change Mirror Download
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_WAS.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: Phishing Vector in SAP WAS (Web Application Server)

Vulnerability Class: Phishing Vector / Improper Input Validation

Release Date: 11/09/2005

Affected Applications:
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00

Affected Platforms:
* Platform-Independent

Local / Remote: Remote

Severity: Medium

Author: Leandro Meiners.

Vendor Status:
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
Server is a crucial component of mySAP® Technology platform as it serves
as the underlying infrastructure for many SAP solutions (for example,
SAP Portal).

SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web
services.

The vulnerability discovered only applies to the BSP runtime of SAP WAS.

Vulnerability Description:

SAP Web Application Server was found to provide a vector to allow
Phishing scams against SAP WAS applications.

Exploit (Poc):
==============

The parameter sap-exiturl allows absolute URLs, such as
http://www.google.com by specifying "http://" as "http%3a%2f%2f". This
together with the parameter sap-sessioncmd, can be used to mount a
Phishing scam by sending a link like
http://sap-was/sap/bc/BSp/sap/menu/fameset.htm?sap--essioncmd=close&sapexiturl=http%3a%2f%2fwww.attacker.com that will logout the user from the application (sap-sessioncmd=close), even if not logged in, and redirect to the attacker site.

Solutions:
==========

The solution, provided by SAP, is to disable support for the parameter
in older 6.10 releases as well as SP's in 6.20 prior to SP54. For new
6.20 and 7.00 releases the sap-exiturl parameter will be submitted to a
customer configured white-list. For further information see SAP Note
887322.

Vendor Response:
================

* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com


----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close