(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_BC.pdf )
CYBSEC S.A. www.cybsec.com
Advisory Name: Phishing Vector in SAP BC (Business Connector)
Vulnerability Class: Phishing Vector / Improper Input Validation
Release Date: 05/15/2006
* SAP BC Core Fix 7 (and below)
Affected Platforms: * Platform-Independent
Local / Remote: Remote
Author: Leandro Meiners.
* Confirmed, patch released.
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
SAP Business Connector (SAP BC) is a middleware application based on B2B integration server from webMethods. It enables communication between SAP applications and SAP R/3 and non-SAP applications, by making all SAP functions accessible to business partners over the Internet as an XML-based service. The SAP Business Connector uses the Internet as a communication platform and XML or HTML as the data format. It integrates non-SAP products by using an open, non-proprietary technology.
SAP BC was found to provide a vector to allow Phishing scams against the SAP BC administrator.
The parameter url of the page adapter-index.dsp allows absolute URLs, such as http://www.google.com. This can be used to mount a Phishing scam by sending a link like http://sapbc/WmRoot/adapter-index.dsp?url=http://www.attacker.com that if clicked by the administrator (while logged in, or logs in after clicking) will load the attacker's site webpage inside an HTML frame.
This can be used to mount a Phishing scam by sending a link, that if clicked by the administrator (while logged in, or logs in after clicking) will load the attacker's site webpage inside an HTML frame.
SAP released a patch regarding this issue, which requires Server Core Fix 7. Details can be found in SAP note 908349.
For more information regarding the vulnerability feel free to contact the author at lmeiners<at>cybsec.com.
For more information regarding CYBSEC: www.cybsec.com
Leandro Meiners CYBSEC S.A. Security Systems E-mail: email@example.com Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index