---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: SAP NetWeaver Multiple Vulnerabilities SECUNIA ADVISORY ID: SA46852 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46852/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46852 RELEASE DATE: 2011-11-15 DISCUSS ADVISORY: http://secunia.com/advisories/46852/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46852/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46852 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Security Research Group has reported multiple vulnerabilities in SAP NetWeaver, which can be exploited by malicious users to conduct script insertion attacks, manipulate certain data, bypass certain security restrictions, and compromise a vulnerable system and by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed via certain transactions to the BAPI Explorer is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. 2) Input passed to the "instname" parameter in the VsiTestScan servlet and "name" parameter in the VsiTestServlet servlet within the Virus Scan Interface is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) Input passed to the "page" parameter in /SAP/BW/DOC/METADATA/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 4) An error in the RSTXSCRP report when using transaction "sa38" can be exploited to insert an arbitrary UNC path via the "File Name" field. 5) An error in the TH_GREP report when handling certain SOAP requests can be exploited to inject arbitrary shell commands via a "" parameter. Successful exploitation of this vulnerability may allow execution of arbitrary code. 6) The SPML service allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create an arbitrary user if a logged-in administrative user visits a malicious web site. 7) An error in the CTC service when performing certain authentication checks can be exploited to gain access to user management and OS command execution functionality. Successful exploitation of this vulnerability may allow execution of arbitrary code. SOLUTION: Apply fixes (please see the vendor's advisories for details). PROVIDED AND/OR DISCOVERED BY: 1, 3, 4) Dmitriy Chastuchin, Digital Security Research Group (DSecRG). 2) Dmitriy Evdokimov, Digital Security Research Group (DSecRG). 3, 6, 7) Alexandr Polyakov, Digital Security Research Group (DSecRG). 5) Alexey Tyurin, Digital Security Research Group (DSecRG). ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1589525 https://service.sap.com/sap/support/notes/1616058 https://service.sap.com/sap/support/notes/1580017 https://service.sap.com/sap/support/notes/1583286 https://service.sap.com/sap/support/notes/1572325 https://service.sap.com/sap/support/notes/1546307 https://service.sap.com/sap/support/notes/1569550 Digital Security Research Group: http://dsecrg.com/pages/vul/show.php?id=341 http://dsecrg.com/pages/vul/show.php?id=340 http://dsecrg.com/pages/vul/show.php?id=339 http://dsecrg.com/pages/vul/show.php?id=338 http://dsecrg.com/pages/vul/show.php?id=337 http://dsecrg.com/pages/vul/show.php?id=336 http://dsecrg.com/pages/vul/show.php?id=335 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------