what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CYBEC_Multiple_XSS_in_SAP_WAS.txt

CYBEC_Multiple_XSS_in_SAP_WAS.txt
Posted Nov 9, 2005
Authored by Leandro Meiners | Site cybsec.com

CYBSEC Security Advisory - SAP Web Application Server was found to be vulnerable to JavaScript injection, allowing for Cross-Site Scripting attacks. Three different vectors for script injection where discovered.

tags | advisory, web, javascript, xss
SHA-256 | 69ff31caa178b79091d32c07125e748ce10e868ab1c5444ef1266598fad476cf

CYBEC_Multiple_XSS_in_SAP_WAS.txt

Change Mirror Download
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: Multiple XSS in SAP WAS (Web Application Server)

Vulnerability Class: Cross-Site Scripting

Release Date: 11/09/2005

Affected Applications:
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00

Affected Platforms:
* Platform-Independent

Local / Remote: Remote

Severity: Medium

Author: Leandro Meiners.

Vendor Status:
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
Server is a crucial component of mySAP® Technology platform as it serves
as the underlying infrastructure for many SAP solutions (for example,
SAP Portal).

SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web
services.

The vulnerability discovered only applies to the BSP runtime of SAP WAS.

Vulnerability Description:

SAP Web Application Server was found to be vulnerable to JavaScript
injection, allowing for Cross-Site Scripting attacks. Three different
vectors for script injection where discovered:
* Error Pages (in error messages displayed) (SAP WAS 6.20 and above not
Vulnerable)
* The syscmd parameter
* SYSTEM PUBLIC (Test Application)


Exploit (Poc):
==============

Following is a Proof of Concept for each script injection vector:
* Error Pages:
http://sap-was/sap/bc/BSp/sap/index.html%3Cscript%3Ealert('xss')%
3C/script%3E
* The syscmd parameter:
http://sap-was/sap/bc/BSp/sap/menu/fameset.htm?sap-sessioncmd=open&sap-syscmd=%3Cscript%3Ealert('xss')%3C/script%3E
* Test Application (SYSTEM PUBLIC):
In BspApplication field it is possible to inject JavaScript code such
as: "<script>alert('xss')</script>.

Solutions:
==========

For solutions regarding Error Pages and the syscmd parameter as attack
vectors please see SAP Note 887323, which indicates Service Packs to
apply.

For solutions regarding SYSTEM PUBLIC Test Application please see SAP
Note 887164 which lists all test applications that shouldn't be
activated on production systems. Regarding XSS issues the BSP compiler
has been extended to have a new forceEncode="HTML" page directive, for
more information see SAP Note 887168. This new feature will be applied
to test applications in the next SP cycle. All test applications should
always be removed from production systems, customers can use transaction
SMICM to disable the test applications.

Vendor Response:
================

* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.

Thanks:
=======

Special thanks go to Mariano Nuñez Di Croce.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com


----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close