Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CYBSEC - Security Advisory: Multiple XSS in SAP WAS

from [Leandro Meiners] Network Security [Permanent Link]
Subject: CYBSEC - Security Advisory: Multiple XSS in SAP WAS
Date: Wed, 09 Nov 2005 10:10:08 -0300 
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf 
)

CYBSEC S.A.
www.cybsec.com

Advisory Name: Multiple XSS in SAP WAS (Web Application Server)

Vulnerability Class: Cross-Site Scripting

Release Date: 11/09/2005

Affected Applications:  
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: Medium

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
Server is a crucial component of mySAP® Technology platform as it serves
as the underlying infrastructure for many SAP solutions (for example,
SAP Portal).

SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web
services.

The vulnerability discovered only applies to the BSP runtime of SAP WAS.

Vulnerability Description:

SAP Web Application Server was found to be vulnerable to JavaScript
injection, allowing for Cross-Site Scripting attacks. Three different
vectors for script injection where discovered:
* Error Pages (in error messages displayed) (SAP WAS 6.20 and above not
Vulnerable)
* The syscmd parameter
* SYSTEM PUBLIC (Test Application)


Exploit (Poc):
==============

Following is a Proof of Concept for each script injection vector:
* Error Pages:
http://sap-was/sap/bc/BSp/sap/index.html%3Cscript%3Ealert('xss')%
3C/script%3E
* The syscmd parameter:
http://sap-was/sap/bc/BSp/sap/menu/fameset.htm?sap-sessioncmd=open&sap-syscmd=%3Cscript%3Ealert('xss')%3C/script%3E
* Test Application (SYSTEM PUBLIC): 
In BspApplication field it is possible to inject JavaScript code such
as: "<script>alert('xss')</script>.

Solutions:
==========

For solutions regarding Error Pages and the syscmd parameter as attack
vectors please see SAP Note 887323, which indicates Service Packs to
apply.

For solutions regarding SYSTEM PUBLIC Test Application please see SAP
Note 887164 which lists all test applications that shouldn't be
activated on production systems. Regarding XSS issues the BSP compiler
has been extended to have a new forceEncode="HTML" page directive, for
more information see SAP Note 887168. This new feature will be applied
to test applications in the next SP cycle. All test applications should
always be removed from production systems, customers can use transaction
SMICM to disable the test applications. 

Vendor Response:
================

* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.

Thanks:
=======

Special thanks go to Mariano Nuñez Di Croce.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com


----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • CYBSEC - Security Advisory: Multiple XSS in SAP WAS, Leandro Meiners <=
Previous by Date:  CYBSEC - Security Advisory: Phishing Vector in SAP WAS, Leandro Meiners
Next by Date:  Multiple security issues in TikiWiki 1.9.x, Moritz Naumann
Previous by Thread:  CYBSEC - Security Advisory: Phishing Vector in SAP WAS, Leandro Meiners
Next by Thread:  Multiple security issues in TikiWiki 1.9.x, Moritz Naumann
Indexes:  [Date] [Thread] [Top] [All Lists]