ID

VAR-200901-0456

CVE

CVE-2008-3358

TITLE

SAP NetWeaver Portal Web Dynpro (WD) Vulnerable to cross-site scripting

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP NetWeaver portal, when Internet Explorer 7.0.5730 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted URI, which causes the XSS payload to be reflected in a text/plain document. SAP NetWeaver and Web Dynpro Java are prone to a cross-site scripting vulnerability because the applications fail to sufficiently sanitize user-supplied input. A successful exploit of this vulnerability could allow an attacker to compromise the application, access or modify data, or steal cookie-based authentication credentials. Other attacks are also possible. This issue is associated with SAP notification number 1235253. ############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: NetWeaver/Web DynPro # Vendor: SAP (www.sap.com) # CVD ID: CVE-2008-3358 # Subject: Cross-Site Scripting Vulnerability # Risk: High # Effect: Remotely exploitable # Author: Martin Suess <martin.suess@csnc.ch> # Date: January 27th 2009 # ############################################################# Introduction: ------------- The vulnerability found targets the SAP NetWeaver portal. It is possible to execute JavaScript code in the browser of a valid user when clicking on a specially crafted URL which can be sent to the user by email. This vulnerability can be used to steal the user's session cookie or redirect him to a phishing website which shows the (faked) login screen and gets his logon credentials as soon as he tries to log in on the faked site. Affected: --------- - All tested versions that are vulnerable SAP NetWeaver/Web DynPro [for detailed Information, see SAP Notification 1235253] Description: ------------ A specially crafted URL in SAP NetWeaver allows an attacker to launch a Cross-Site Scripting attack. The resulting page contains only the unfiltered value of the vulnerable parameter. It is possible to create an URL which causes the resulting page to contain malicious JavaScript code. A response to such a request could look like the following example: HTTP/1.1 200 OK Date: Fri, 18 Jul 2008 13:13:30 GMT Server: <server> content-type: text/plain Content-Length: 67 Keep-Alive: timeout=10, max=500 Connection: Keep-Alive <html><title>test</title><body onload="alert(document.cookie)"> </body></html> The code only gets executed in Microsoft Internet Explorer (tested with version 7.0.5730 only). In Firefox (tested with version 3.0 only) it did not get executed as the content-type header of the server response is interpreted more strictly (text/plain). SAP Information Policy: ----------------------- The information is available to registered SAP clients only (SAP Security Notes). Patches: -------- Apply the latest SAP security patches for Netweaver. Timeline: --------- Vendor Status: Patch released Vendor Notified: July 21st 2008 Vendor Response: July 28th 2008 Patch available: October 2008 Advisory Release: January 27th 2009 References: ----------- - SAP Notification 1235253 (problem and patches) . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: SAP NetWeaver Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA33685 VERIFY ADVISORY: http://secunia.com/advisories/33685/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: SAP NetWeaver 4.x http://secunia.com/advisories/product/9490/ DESCRIPTION: A vulnerability has been reported in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation may require that the victim uses a browser which executes JavaScript statements in documents of the content type "text/plain" (e.g. Internet Explorer). SOLUTION: The vendor has reportedly issued a patch via SAP Note 1235253. http://service.sap.com/sap/support/notes/1235253 PROVIDED AND/OR DISCOVERED BY: Martin Suess, Compass Security ORIGINAL ADVISORY: SAP: http://service.sap.com/sap/support/notes/1235253 Compass Security: http://www.csnc.ch/misc/files/advisories/CVE-2008-3358.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

xss

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Martin Suess

SOURCES

LAST UPDATE DATE

2024-11-23T23:00:07.564000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE