SAP NetWeaver Web Dynpro Information Disclosure

`# Application: SAP NetWeaver Web Dynpro 6.4 to 7.5 - Information disclosure  
# Versions Affected: SAP NetWeaver 6.4 - 7.5  
# Vendor URL: http://SAP.com  
# Bugs: Information disclosure (Enumerate users)  
# Sent: 2016-12-15  
# Reported: 2016-12-15  
# Date of Public Advisory: 09.02.2016  
# Reference: SAP Security Note 2344524  
# Author: Richard Alviarez (SIA Group)  
# CVE: N/A  
  
# 1. ADVISORY INFORMATION  
# Title: SAP NetWeaver Web Dynpro a information disclosure (Enumerate users)  
# Advisory ID: 2344524  
# Risk: Medium  
# Date published: 20.12.2016  
  
# 2. VULNERABILITY DESCRIPTION  
# Anonymous attacker can use a special HTTP request to get information  
# about SAP NetWeaver users.  
  
# 3. VULNERABLE PACKAGES  
# SAP NetWeaver Web Dynpro 6.4 - 7.5  
# Other versions are probably affected too, but they were not checked.  
  
# 4. TECHNICAL DESCRIPTION  
# A potential attacker can use the vulnerability in order to reveal  
# information about user names,  
# first and last names, and associated emails, this can provide an attacker  
# with enough information  
# to make a more accurate and effective attack  
  
# Steps to exploit this vulnerability  
  
1. Open  
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate  
or  
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate  
  
page on SAP server  
  
2. Press "Change processor" button  
  
3. and in the "find" section, put the initial or name to be searched,  
followed by a *  
  
You will get a list of SAP users and information.  
  
`