Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21242
HistoryJan 28, 2009 - 12:00 a.m.

SAP NetWeaver XSS Vulnerability

2009-01-2800:00:00
vulners.com
21
JSON

#############################################################

COMPASS SECURITY ADVISORY

http://www.csnc.ch/en/downloads/advisories.html

#############################################################

Product: NetWeaver/Web DynPro

Vendor: SAP (www.sap.com)

CVD ID: CVE-2008-3358

Subject: Cross-Site Scripting Vulnerability

Risk: High

Effect: Remotely exploitable

Author: Martin Suess <[email protected]>

Date: January 27th 2009

#############################################################

Introduction:

The vulnerability found targets the SAP NetWeaver portal. It is
possible to execute JavaScript code in the browser of a valid user
when clicking on a specially crafted URL which can be sent to the
user by email.
This vulnerability can be used to steal the user's session cookie or
redirect him to a phishing website which shows the (faked) login
screen and gets his logon credentials as soon as he tries to log in
on the faked site.

Affected:

  • All tested versions that are vulnerable
    SAP NetWeaver/Web DynPro
    [for detailed Information, see SAP Notification 1235253]

Description:

A specially crafted URL in SAP NetWeaver allows an attacker to
launch a Cross-Site Scripting attack. The resulting page contains
only the unfiltered value of the vulnerable parameter. It is possible
to create an URL which causes the resulting page to contain malicious
JavaScript code. A response to such a request could look like the
following example:

HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server: <server>
content-type: text/plain
Content-Length: 67
Keep-Alive: timeout=10, max=500
Connection: Keep-Alive

<html><title>test</title><body onload="alert(document.cookie)">
</body></html>

The code only gets executed in Microsoft Internet Explorer (tested
with version 7.0.5730 only). In Firefox (tested with version 3.0
only) it did not get executed as the content-type header of the
server response is interpreted more strictly (text/plain).

SAP Information Policy:

The information is available to registered SAP clients only (SAP
Security Notes).

Patches:

Apply the latest SAP security patches for Netweaver. For more detailed
patch information, see SAP notification number 1235253.

Timeline:

Vendor Status: Patch released
Vendor Notified: July 21st 2008
Vendor Response: July 28th 2008
Patch available: October 2008
Advisory Release: January 27th 2009

References:

  • SAP Notification 1235253 (problem and patches)

Related

cve 1
prion 1
securityvulns 1
openvas 3
cve
cve
CVE-2008-3358
2009-01-28 18:30:00
prion
prion
Cross site scripting
2009-01-28 18:30:00
securityvulns
securityvulns
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2009-02-01 00:00:00
openvas
openvas
Ubuntu USN-712-1 (vim)
2009-02-02 00:00:00
Ubuntu USN-711-1 (ktorrent)
2009-02-02 00:00:00
Ubuntu USN-710-1 (xine-lib)
2009-02-02 00:00:00
JSON
Related for SECURITYVULNS:DOC:21242
cve1prion1securityvulns1openvas3