full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] SAP NetWeaver Cross-Site S

[Full-disclosure] SAP NetWeaver Cross-Site Scripting

From: Martin Suess <martin.suess_at_nospam>
Date: Tue Jan 27 2009 - 08:58:21 GMT
To: full-disclosure@lists.grok.org.uk


#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: NetWeaver/Web DynPro
# Vendor: SAP (www.sap.com)
# CVD ID: CVE-2008-3358
# Subject: Cross-Site Scripting Vulnerability
# Risk: High
# Effect: Remotely exploitable
# Author: Martin Suess <martin.suess@csnc.ch>
# Date: January 27th 2009
#
#############################################################

Introduction:



The vulnerability found targets the SAP NetWeaver portal. It is possible to execute JavaScript code in the browser of a valid user when clicking on a specially crafted URL which can be sent to the user by email.
This vulnerability can be used to steal the user's session cookie or redirect him to a phishing website which shows the (faked) login screen and gets his logon credentials as soon as he tries to log in on the faked site.

Affected:


  • All tested versions that are vulnerable SAP NetWeaver/Web DynPro [for detailed Information, see SAP Notification 1235253]

Description:



A specially crafted URL in SAP NetWeaver allows an attacker to launch a Cross-Site Scripting attack. The resulting page contains only the unfiltered value of the vulnerable parameter. It is possible to create an URL which causes the resulting page to contain malicious JavaScript code. A response to such a request could look like the following example:

HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server: <server>
content-type: text/plain
Content-Length: 67
Keep-Alive: timeout=10, max=500
Connection: Keep-Alive

<html><title>test</title><body onload="alert(document.cookie)"> </body></html>

The code only gets executed in Microsoft Internet Explorer (tested with version 7.0.5730 only). In Firefox (tested with version 3.0 only) it did not get executed as the content-type header of the server response is interpreted more strictly (text/plain).

SAP Information Policy:



The information is available to registered SAP clients only (SAP Security Notes).

Patches:



Apply the latest SAP security patches for Netweaver. For more detailed patch information, see SAP notification number 1235253.

Timeline:


Vendor Status: Patch released Vendor Notified: July 21st 2008 Vendor Response: July 28th 2008 Patch available: October 2008 Advisory Release: January 27th 2009

References:


  • SAP Notification 1235253 (problem and patches)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/