--=-qU/PpoNB97e6JM+uP2zT Content-Type: text/plain Content-Transfer-Encoding: quoted-printable (The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Phishing_Vector_in_= SAP_BC.pdf ) CYBSEC S.A. www.cybsec.com Pre-Advisory Name: Phishing Vector in SAP BC (Business Connector) Vulnerability Class: Phishing Vector / Improper Input Validation Release Date: 02/15/2006 Affected Applications: =20 * SAP BC Core Fix 7 (and below) Affected Platforms: Platform-Independent Local / Remote: Remote Severity: Low Author: Leandro Meiners. Vendor Status: Confirmed, patch released. Reference to Vulnerability Disclosure Policy:=20 http://www.cybsec.com/vulnerability_policy.pdf Product Overview: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SAP Business Connector (SAP BC) is a middleware application based on B2B integration server from webMethods. It enables communication between SAP applications and SAP R/3 and non-SAP applications, by making all SAP functions accessible to business partners over the Internet as an XML-based service. The SAP Business Connector uses the Internet as a communication platform and XML or HTML as the data format. It integrates non-SAP products by using an open, non-proprietary technology. =20 Vulnerability Description: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D SAP BC was found to provide a vector to allow Phishing scams against the SAP BC administrator. Technical Details: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their clients to upgrade affected software prior to the technical knowledge been publicly available.=20 Impact: =3D=3D=3D=3D=3D=3D=3D This can be used to mount a Phishing scam by sending a link, that if clicked by the administrator (while logged in, or logs in after clicking) will load the attacker's site webpage inside an HTML frame. Solutions: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SAP released a patch regarding this issue, which requires Server Core Fix 7. Details can be found in SAP note 908349. Vendor Response: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D * 12/06/2005: Initial Vendor Contact. * 12/07/2005: Technical details for the vulnerabilities sent to vendor. * 12/19/2005: Solutions provided by vendor. * 02/15/2006: Coordinate release of pre-advisory without technical details. * 05/15/2006: Coordinate release of advisory with technical details. Contact Information: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D For more information regarding the vulnerability feel free to contact the author at lmeinerscybsec.com. Please bear in mind that technical details will be disclosed three months after the release of this pre-advisory, so such questions won't be answered until then.=20 For more information regarding CYBSEC: www.cybsec.com ---------------------------- Leandro Meiners CYBSEC S.A. Security Systems E-mail: lmeiners@cybsec.com Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=3Dlmeiners&op=3Dindex --=-qU/PpoNB97e6JM+uP2zT Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQBD8y0dxuYFUE35cXMRAtG+AJ4/GDyEWLsVhvj+CQJScREh1FLS+ACguKY6 0UM0+9yGswTbuRW9LPC0x7E= =bnbO -----END PGP SIGNATURE----- --=-qU/PpoNB97e6JM+uP2zT--