SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Web Server/CGI)  >   SAP Web Application Server Vendors:   SAP
SAP Web Application Server Input Validation Holes Permit HTTP Response Splitting, Cross-Site Scripting, and Phishing Attacks
SecurityTracker Alert ID:  1015174
SecurityTracker URL:  http://securitytracker.com/id/1015174
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 9 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.10, 6.20, 6.40, 7.00
Description:   Leandro Meiners from CYBSEC reported several vulnerabilities in the SAP Web Application Server. A remote user can conduct HTTP response splitting and cross-site scripting attacks.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SAP Web Application Server software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The syscmd parameter and the SYSTEM PUBLIC Test Application are affected. Also, in version 6.10, the Error Pages are affected.

Some demonstration exploit URLs are provided:

http://[target]/sap/bc/BSp/sap/index.html%3Cscript%3Ealert('xss')%3C/script%3E

http://[target]/sap/bc/BSp/sap/menu/fameset.htm?sap-sessioncmd=open&sap-syscmd=%3Cscript%3Ealert('xss')%3C/script%3E

A remote user can also submit a specially crafted URL invoking the 'sap-exiturl' parameter to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A remote user can supply the string "%0a%0dHeader:+Value" for the parameter sap-exiturl, the string will be considered as another HTTP header.

The server may facilitate phishing scams against service applications. A remote user can supply a specially crafted 'sap-existurl' parameter that, when loaeded by the target user, will logout the victim and then redirect the victim to an alternate site.

These vulnerabilities only apply to the BSP runtime of the SAP web application server.

The vendor was notified on September 23, 2005.

The original advisories are available at:

http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_WAS.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SAP Web Application Server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

A remote user may be able to conduct phishing attacks against target users.

Solution:   The vendor has issued fixes.

For the cross-site scripting vulnerability in the Error Pages and the syscmd parameter, see SAP Note 887323 to determine which Service Packs to apply.

For the cross-site scripting vulnerability in the SYSTEM PUBLIC Test Application, see SAP Note 887164 for a list of all test applications that should not be enabled on production systems.

SAP Note 887168 describes a new directive (forceEncode="HTML") that will be applied to test applications in the next service pack cycle.

For the HTTP response splitting vulnerability, disable support for the affected parameter in versions 6.10 and version 6.20 prior to SP54. In versions 6.20 and 7.00, the affected sap-exiturl parameter can be submitted to a customer configured white-list, as described in SAP Note 887322.

Vendor URL:  www.sap.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  CYBSEC - Security Advisory: HTTP Response Splitting in SAP WAS

(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: HTTP Response Splitting in SAP WAS (Web Application
Server)

Vulnerability Class: HTTP Response Splitting

Release Date: 11/09/2005

Affected Applications:  
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: High

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
as the underlying infrastructure for many SAP solutions (for example,
SAP Portal).

SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web
services.

The vulnerability discovered only applies to the BSP runtime of SAP WAS.

Vulnerability Description:
==========================

SAP Web Application Server was found to be vulnerable to HTTP Response
Splitting, in the parameter sap-exiturl. For further reference regarding
HTTP Response Splitting see the whitepaper "HTTP Response Splitting, Web
Cache Poisoning Attacks, and Related Topics" (available at:
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf)


Exploit (PoC):
==============

If the string "%0a%0dHeader:+Value" is passed (omitting the double
quotes) as the value for the parameter sap-exiturl the string "Header:
value" (without the double quotes) is considered as another HTTP header,
indicating the presence of the vulnerability.

Solutions:
==========

The solution, provided by SAP, is to disable support for the parameter
in older 6.10 releases as well as SP's in 6.20 prior to SP54. For new
6.20 and 7.00 releases the sap-exiturl parameter will be submitted to a
customer configured white-list. For further information see SAP Note
887322. 

Vendor Response:
================

* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com

----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index



(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_WAS.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: Phishing Vector in SAP WAS (Web Application Server)

Vulnerability Class: Phishing Vector / Improper Input Validation

Release Date: 11/09/2005

Affected Applications:  
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: Medium

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
as the underlying infrastructure for many SAP solutions (for example,
SAP Portal).

SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web
services.

The vulnerability discovered only applies to the BSP runtime of SAP WAS.

Vulnerability Description:

SAP Web Application Server was found to provide a vector to allow
Phishing scams against SAP WAS applications.

Exploit (Poc):
==============

The parameter sap-exiturl allows absolute URLs, such as
http://www.google.com by specifying "http://" as "http%3a%2f%2f". This
together with the parameter sap-sessioncmd, can be used to mount a
Phishing scam by sending a link like
http://sap-was/sap/bc/BSp/sap/menu/fameset.htm?sap--essioncmd=close&sapexiturl=http%3a%2f%2fwww.attacker.com that will logout the user from the application (sap-sessioncmd=close), even if not logged in, and redirect to the attacker site.

Solutions:
==========

The solution, provided by SAP, is to disable support for the parameter
in older 6.10 releases as well as SP's in 6.20 prior to SP54. For new
6.20 and 7.00 releases the sap-exiturl parameter will be submitted to a
customer configured white-list. For further information see SAP Note
887322. 

Vendor Response:
================

* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com


----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index




(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: Multiple XSS in SAP WAS (Web Application Server)

Vulnerability Class: Cross-Site Scripting

Release Date: 11/09/2005

Affected Applications:  
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: Medium

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
as the underlying infrastructure for many SAP solutions (for example,
SAP Portal).

SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web
services.

The vulnerability discovered only applies to the BSP runtime of SAP WAS.

Vulnerability Description:

SAP Web Application Server was found to be vulnerable to JavaScript
injection, allowing for Cross-Site Scripting attacks. Three different
vectors for script injection where discovered:
* Error Pages (in error messages displayed) (SAP WAS 6.20 and above not
Vulnerable)
* The syscmd parameter
* SYSTEM PUBLIC (Test Application)


Exploit (Poc):
==============

Following is a Proof of Concept for each script injection vector:
* Error Pages:
http://sap-was/sap/bc/BSp/sap/index.html%3Cscript%3Ealert('xss')%
3C/script%3E
* The syscmd parameter:
http://sap-was/sap/bc/BSp/sap/menu/fameset.htm?sap-sessioncmd=open&sap-syscmd=%3Cscript%3Ealert('xss')%3C/script%3E
* Test Application (SYSTEM PUBLIC): 
In BspApplication field it is possible to inject JavaScript code such
as: "<script>alert('xss')</script>.

Solutions:
==========

For solutions regarding Error Pages and the syscmd parameter as attack
vectors please see SAP Note 887323, which indicates Service Packs to
apply.

For solutions regarding SYSTEM PUBLIC Test Application please see SAP
Note 887164 which lists all test applications that shouldn't be
activated on production systems. Regarding XSS issues the BSP compiler
has been extended to have a new forceEncode="HTML" page directive, for
more information see SAP Note 887168. This new feature will be applied
to test applications in the next SP cycle. All test applications should
always be removed from production systems, customers can use transaction
SMICM to disable the test applications. 

Vendor Response:
================

* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.

Thanks:
=======


Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com


----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC