Services Vulnerabilities Exploits Publications News Blog About DSecRG


[DSECRG-09-014] SAP Cfolders Multiple Stored XSS Vulnerabilies

Multiple Stored XSS vulnerabilities were found in SAP Cfolders engine. Any User can steal Administrator's or user's cookie by inserting javascript into CFolders system

Application: SAP Cfolders (included in: SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms)
Vendor URL: http://SAP.com
Bugs: Multiple Stored XSS
Risk: Hight
Exploits: YES
Reported: 04.12.2008
Vendor response: 05.12.2008
Vulnerability patched: 15.12.2008
Date of Public Advisory: 21.04.2009
Reference: SAP note 1284360
CVE-number:
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********


cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information.
cFolders is part of a suite of applications powered by SAP NetWeaver that integrates project management,
knowledge management and resource management in collaborative inter-enterprise and intra-enterprise
environments.

cFolders is integrated to SAP ECC, SAP Product Lifecycle
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP
NetWeaver cRooms (collaboration rooms). Virtual teams can access, view online, subscribe for changes, and
redline documents and product information. Partners and suppliers can interact with cFolders in predefined
collaborative or competitive scenarios.


Details
*******

Multiple Stored XSS vulnerabilities were found in SAP Cfolders engine. The user who is a business partner of an
organization can steal Administrator's cookie by inserting javascript into CFolders system.
He can do this using 2 Stored XSS vulnerabilities.

SAP Server doesn't associate session identificators with users IP-adress or with any other additional data.
IT autenticates users ONLY by cookies. So any user who can steal Administrator's cookie can use them to authenticate with administrative rights.


1. A user can insert javascript code into site using a link creation option

He can inject javascript code into LINK field on the page

https://[site]/sap/bc/bsp/sap/cfx_rfc_ui/hyp_de_create.htm


example LINK value:

http://test.com" onmouseover="alert(document.cookie)">

In this case when Administrator browses user folders, the script will execute.


2. The second XSS vulnerability was found in the document uploading area.
A user can create a document with a file name including javascript code.


example filename value:

aaaa"><script>alert()</script>.doc

To do this user must change the file name in http-request when sending a request for a file upload.

So using this vulnerability a user can steal cookie like he does in the first example.



Fix Information
***************
The issue has been solved. See SAP note 1284360.


References:
***********
SAP note 1284360

https://service.sap.com/sap/support/notes/1284360


About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.dsec.ru

Vulnerabilities RSS RSS
21.03.2012
[DSECRG-12-019] vCenter Orchestrator - password disclosure

22.02.2012
[DSECRG-12-018] Oracle Application Server - multiple security vulnerabilities

17.02.2012
[DSECRG-12-017] ASUS Net4Switch ipswcom.dll ActiveX - buffer overflow vulnerability

17.02.2012
[DSECRG-12-016] SAP MessagingSystem - information disclosure

17.02.2012
[DSECRG-12-014] SAP Internet Sales - XSS

17.02.2012
[DSECRG-12-015] SAP Adapter Monitor - information disclosure

Vulnerabilities list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search