SAP Cfolders Stored Cross Site Scripting

`Digital Security Research Group [DSecRG] Advisory #DSECRG-09-014  
  
Original advisory: http://dsecrg.com/pages/vul/show.php?id=114  
  
Application: SAP Cfolders (included in: SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms)  
Vendor URL: http://SAP.com  
Bugs: Multiple Stored XSS  
Risk: Hight  
Exploits: YES  
Reported: 04.12.2008  
Vendor response: 05.12.2008  
Vulnerability patched: 15.12.2008  
Date of Public Advisory: 21.04.2009  
Reference: SAP note 1284360  
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)  
  
  
  
Description  
***********  
  
  
cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information.   
cFolders is part of a suite of applications powered by SAP NetWeaver that integrate project management,   
knowledge management and resource management in collaborative inter-enterprise and intra-enterprise   
environments.   
  
cFolders is integrated to SAP ECC, SAP Product Lifecycle   
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP   
NetWeaver cRooms (collaboration rooms). Virtual teams can access, view online, subscribe for changes, and   
redline documents and product information. Partners and suppliers can interact with cFolders in predefined   
collaborative or competitive scenarios.   
  
  
  
Details  
*******  
  
Multiple Stored XSS vulnerabilities found in SAP Cfolders engine. User which is a business partner of   
organization can steal Administrators cookie by inserting javascript into CFolders system.  
He can do this using 2 Stored XSS vulnerabilities.  
  
SAP Server dont associate session identificators with users IP adress or with any other additional data.  
IT autentificate users Only by cookies. So any user which can steal administrators cookie can use them to authentificate with administrator rights.  
  
  
1. User can insert javascript code into site using link creation option   
  
He can inject javascript code into LINK field on page  
  
https://[site]/sap/bc/bsp/sap/cfx_rfc_ui/hyp_de_create.htm  
  
  
example LINK value:  
  
http://test.com" onmouseover="alert(document.cookie)">  
  
Then when administrator will browse for user folders script will execute.   
  
  
2. Second XSS vulnerability found in document uploading area.  
User can create a document with file name included javascript code.  
  
  
example filename value:  
  
aaaa"><script>alert()</script>.doc  
  
To do this user must change file name in http request when sending a request for file uploading.  
  
So using this vulnerability user can steal cookie like he do in first example.  
  
  
  
Fix Information  
***************  
  
The issue has been solved. See SAP note 1284360.  
  
  
References:  
***********  
  
SAP note 1284360  
  
https://service.sap.com/sap/support/notes/1284360  
  
  
  
About  
*****  
  
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.  
  
  
Contact: research [at] dsecrg [dot] com  
http://www.dsecrg.com   
http://www.dsec.ru  
`