(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_BC.pdf )
CYBSEC S.A.
www.cybsec.com
Advisory Name: Phishing Vector in SAP BC (Business Connector)
Vulnerability Class: Phishing Vector / Improper Input Validation
Release Date: 05/15/2006
Affected Applications:
Affected Platforms:
Local / Remote: Remote
Severity: Low
Author: Leandro Meiners.
Vendor Status:
Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf
SAP Business Connector (SAP BC) is a middleware application based on B2B
integration server from webMethods. It enables communication between SAP
applications and SAP R/3 and non-SAP applications, by making all SAP
functions accessible to business partners over the Internet as an
XML-based service.
The SAP Business Connector uses the Internet as a communication platform
and XML or HTML as the data format. It integrates non-SAP products by
using an open, non-proprietary technology.
SAP BC was found to provide a vector to allow Phishing scams against the
SAP BC administrator.
The parameter url of the page adapter-index.dsp allows absolute URLs,
such as http://www.google.com. This can be used to mount a Phishing scam
by sending a link like
http://sapbc/WmRoot/adapter-index.dsp?url=http://www.attacker.com that
if clicked by the administrator (while logged in, or logs in after
clicking) will load the attacker's site webpage inside an HTML frame.
This can be used to mount a Phishing scam by sending a link, that if
clicked by the administrator (while logged in, or logs in after
clicking) will load the attacker's site webpage inside an HTML frame.
SAP released a patch regarding this issue, which requires Server Core
Fix 7. Details can be found in SAP note 908349.
For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.
For more information regarding CYBSEC: www.cybsec.com
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: [email protected]
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index