SAP Multiple Vulnerabilities

3 comments
Advisory Information 
Title: SAP Multiple Vulnerabilities
Release date: 28/05/2014
Last update: 20/06/2014
Credits: Enrico Milanese, Emaze Networks S.p.A.

Vulnerability Information 
Class: Cross Site Scripting, Arbitrary Redirect
CVE: 2014-4159, 2014-4160, 2014-4161
CVSS: 5.8

Affected Software 
  • SAP NetWeaver Business Client
  • SAP Supplier Relationship Management Release 673 SP0

Vulnerability Details
The NWBC (NetWeaver Business Client) uses some test/debug nodes (related to development functionalities) that should be disabled in production systems; the node testcanvas is vulnerable to multiple Cross Site Scripting vulnerabilities on title and sap-accessibility parameters.

Proof of concept:

http://HOST/sap/bc/nwbc/~testcanvas/?title=<XSS1>&flags=est&roundtrips=1&sap-accessibility=<XSS2>



The SAP SRM (Supplier Relationship Management) component exposes a test/debug functionality related to SSO (Single Sign On) process; the resource umTestSSO.jsp fails to handle user input before using it into a dynamic generated content. 
The vulnerability could be used by an attacker to load any arbitrary remote html page inside the SAP SRM portal or conduct Cross Site Scripting attacks to SAP SRM portal's users.

Proof of concepts:

http://HOST/srm/la/umTestSSO.jsp?url=http://www.emaze.net/

http://HOST/srm/la/umTestSSO.jsp?url=";alert(document.cookie)//

Remediation
Apply the security patches provided by the vendor: