SAP Cfolders Linked Cross Site Scripting

2009-04-22T00:00:00
ID PACKETSTORM:76886
Type packetstorm
Reporter dsecrg.com
Modified 2009-04-22T00:00:00

Description

                                        
                                            `Digital Security Research Group [DSecRG] Advisory #DSECRG-09-021  
  
Original advisory: http://dsecrg.com/pages/vul/show.php?id=121  
  
Application: SAP Cfolders (SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms (collaboration rooms))  
Vendor URL: http://SAP.com  
Bugs: Multiple Liked XSS  
Risk: Hight  
Exploits: YES  
Reported: 12.01.2009  
Vendor response: 13.01.2009  
patched: 21.01.2009  
Date of Public Advisory: 21.04.2009  
Reference: SAP note 1292875   
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)  
  
  
  
Description  
***********  
  
cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information.   
cFolders is part of a suite of applications powered by SAP® NetWeaver™ that integrate project management,   
knowledge management and resource management in collaborative inter-enterprise and intra-enterprise   
environments.   
  
cFolders is integrated to SAP ECC, SAP Product Lifecycle   
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP   
NetWeaver™ cRooms (collaboration rooms). Virtual teams can access, view online, subscribe for changes, and   
redline documents and product information. Partners and suppliers can interact with cFolders in predefined   
collaborative or competitive scenarios.   
  
  
  
Details  
*******  
  
Multiple Linked XSS vulnerabilities found in SAP Cfolders engine. Any user can cheate a vulnerable link   
and steal user's or administrator's cookie.  
  
He can do this using 3 Linked XSS vulnerabilities.  
  
  
1. Linked XSS found in col_table_filter.htm page. Vulnerable parameter "p_current_role"  
  
Example:   
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/col_table_filter.htm?p_current_role=aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>  
  
  
2. Linked XSS found in me_ov.htm page. Vulnerable parameter "p_current_role"  
  
  
Example:   
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm?p_current_role= aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>  
  
  
  
Fix Information  
***************  
  
The issue has been solved. See SAP note 1292875.  
  
  
  
References:  
***********  
  
SAP note 1292875   
  
https://service.sap.com/sap/support/notes/1292875   
  
  
  
About  
*****  
  
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.  
  
  
Contact: research [at] dsecrg [dot] com  
http://www.dsecrg.com   
http://www.dsec.ru  
`