(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Phishing_Vector_in_SAP_BC.pdf )
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: Phishing Vector in SAP BC (Business Connector)
Vulnerability Class: Phishing Vector / Improper Input Validation
Release Date: 02/15/2006
Affected Applications:
Affected Platforms: Platform-Independent
Local / Remote: Remote
Severity: Low
Author: Leandro Meiners.
Vendor Status: Confirmed, patch released.
Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf
SAP Business Connector (SAP BC) is a middleware application based on B2B
integration server from webMethods. It enables communication between SAP
applications and SAP R/3 and non-SAP applications, by making all SAP
functions accessible to business partners over the Internet as an
XML-based service.
The SAP Business Connector uses the Internet as a communication platform
and XML or HTML as the data format. It integrates non-SAP products by
using an open, non-proprietary technology.
SAP BC was found to provide a vector to allow Phishing scams against the
SAP BC administrator.
Technical details will be released three months after publication of
this pre-advisory. This was agreed upon with SAP to allow their clients
to upgrade affected software prior to the technical knowledge been
publicly available.
This can be used to mount a Phishing scam by sending a link, that if
clicked by the administrator (while logged in, or logs in after
clicking) will load the attacker's site webpage inside an HTML frame.
SAP released a patch regarding this issue, which requires Server Core
Fix 7. Details can be found in SAP note 908349.
For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com. Please bear in mind that technical
details will be disclosed three months after the release of this
pre-advisory, so such questions won't be answered until then.
For more information regarding CYBSEC: www.cybsec.com
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: [email protected]
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index