SAP AS Java XSS in Enterprise Portal

2016-01-11T00:00:00
ID ERPSCAN-17-027
Type erpscan
Reporter ERPScan
Modified 2016-01-11T00:00:00

Description

Application: SAP NetWeaver AS Java
Vendor URL: SAP
Bugs: XSS
Reported: 01.11.2016
Vendor response: 02.11.2016
Date of Public Advisory: 09.05.2017
Reference: SAP Security Note 2412897
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: XSS
Impact: Account hijacking
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 4.8 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) | Network (N)
---|---
AC: Attack Complexity (Required attack complexity) | Low (L)
PR: Privileges Required (Level of privileges needed to exploit) | High (H)
UI: User Interaction (Required user participation) | Required (R)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed (C)
C: Impact to Confidentiality | Low (L)
I: Impact to Integrity | Low (L)
A: Impact to Availability| None (N)

Description

An attacker can use a special HTTP request to hijack session data of administrators or users of the web resource.

Business risk

An attacker can use a Cross-Site Scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. The attacker can gain access to a user session and learn business critical information, in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.

VULNERABLE PACKAGES

SAP NetWeaver 7.1-7.5

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2412897

TECHNICAL DESCRIPTION

Proof of Concept

http://172.16.10.65:50000/irj/servlet/prt/portal/prteventname/submit/prtroot/com.sap.portal.runtime.system.notification.TopicCreation?name=asd&value=asd&topic_type=string&submit=Add+Topic+Data&name_file=asdfhh77”’<script>alert(1)</script>sjls5srp879&file=test

1

|

http://172.16.10.65:50000/irj/servlet/prt/portal/prteventname/submit/prtroot/com.sap.portal.runtime.system.notification.TopicCreation?name=asd&value=asd&topic_type=string&submit=Add+Topic+Data&name_file=asdfhh77”’<script>alert(1)</script>sjls5srp879&file=test

---|---