############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # Product: NetWeaver, Web Dynpro Java (BC-WD-JAV) # Vendor: SAP # Subject: Multiple XSS, HTML Injection # Risk: Medium # Effect: Remotely exploitable # Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch) # Date: June, 17th 2007 # ############################################################# Introduction: ------------- Compass Security discovered a web application security flaw (XSS) in the SAP Web Dynpro Java (BC-WD-JAV) running in either the testing or development mode. Vulnerable: ----------- SAP NetWeaver Nw04 SP15 to SP 19 SAP NetWeaver Nw04s SP7 to SP 11 Not vulnerable: --------------- Customers which run their system in production mode. SAP Java Technology Services 640 SP20 SAP Web Dynpro Runtime Core Components 700 SP12 Vulnerability Management: ------------------------- January 2007: Vulnerability found January 2007: SAP Security notified February 2007: SAP confirmation April/May 2007: Patches available June 2007: Compass Security Information SAP Information Policy: ------------------------- The information is available to registered SAP clients only (SAP Security Notes) Patches: -------- Apply the latest Web Dynpro patch according to the related notes. (See SAP Note No. 1045640, 946608). Description ----------- The NetWeaver Application includes the User-Agent-Header content in the server response body without applying proper encoding. Exploiting the vulnerability will require an attacker to spoof the User-Agent-Header. Abusing technologies such as JavaScript or Flash will allow conducting such an attack. XSS Ref: http://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued.