SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SAP NetWeaver Vendors:   SAP
SAP NetWeaver Unspecified Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1021638
SecurityTracker URL:  http://securitytracker.com/id/1021638
CVE Reference:   CVE-2008-3358   (Links to External Site)
Date:  Jan 27 2009
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in SAP NetWeaver. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SAP NetWeaver software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some browsers may not permit code execution.

The vendor was notified on July 21, 2008.

Martin Suess reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SAP NetWeaver software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix, described in SAP Notification 1235253.
Vendor URL:  www.sap.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] SAP NetWeaver Cross-Site Scripting

#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:   NetWeaver/Web DynPro
# Vendor:    SAP (www.sap.com)
# CVD ID:    CVE-2008-3358
# Subject:   Cross-Site Scripting Vulnerability
# Risk:      High
# Effect:    Remotely exploitable
# Author:    Martin Suess <martin.suess@csnc.ch>
# Date:      January 27th 2009
#
#############################################################

Introduction:
-------------
The vulnerability found targets the SAP NetWeaver portal. It is
possible to execute JavaScript code in the browser of a valid user
when clicking on a specially crafted URL which can be sent to the
user by email.
This vulnerability can be used to steal the user's session cookie or
redirect him to a phishing website which shows the (faked) login
screen and gets his logon credentials as soon as he tries to log in
on the faked site.

Affected:
---------
- All tested versions that are vulnerable
	SAP NetWeaver/Web DynPro
	[for detailed Information, see SAP Notification 1235253]

Description:
------------
A specially crafted URL in SAP NetWeaver allows an attacker to
launch a Cross-Site Scripting attack. The resulting page contains
only the unfiltered value of the vulnerable parameter. It is possible
to create an URL which causes the resulting page to contain malicious
JavaScript code. A response to such a request could look like the
following example:

HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server: <server>
content-type: text/plain
Content-Length: 67
Keep-Alive: timeout=10, max=500
Connection: Keep-Alive

<html><title>test</title><body onload="alert(document.cookie)">
</body></html>

The code only gets executed in Microsoft Internet Explorer (tested
with version 7.0.5730 only). In Firefox (tested with version 3.0
only) it did not get executed as the content-type header of the
server response is interpreted more strictly (text/plain).

SAP Information Policy:
-----------------------
The information is available to registered SAP clients only (SAP
Security Notes).

Patches:
--------
Apply the latest SAP security patches for Netweaver. For more detailed
patch information, see SAP notification number 1235253.

Timeline:
---------
Vendor Status:		Patch released
Vendor Notified:	July 21st 2008
Vendor Response:	July 28th 2008
Patch available:	October 2008
Advisory Release:	January 27th 2009

References:
-----------
- SAP Notification 1235253 (problem and patches)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC