 |
 |
 |
 |
|
Multiple Linked XSS vulnerabilities were found in SAP Cfolders engine. An attacker can create a vulnerable link
and steal user's or Administrator's cookie.
Application: SAP Cfolders (SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms (collaboration rooms))
Vendor URL: http://SAP.com
Bugs: Multiple Liked XSS
Risk: Hight
Exploits: YES
Reported: 12.01.2009
Vendor response: 13.01.2009
patched: 21.01.2009
Date of Public Advisory: 21.04.2009
CVE-number:
Reference: SAP note 1292875
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information.
cFolders is part of a suite of applications powered by SAP® NetWeaver™ that integrates project management,
knowledge management and resource management in collaborative inter-enterprise and intra-enterprise
environments.
cFolders is integrated to SAP ECC, SAP Product Lifecycle
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP
NetWeaver™ cRooms (collaboration rooms). Virtual teams can access, view on-line, subscribe for changes, and
redline documents and product information. Partners and suppliers can interact with cFolders in predefined
collaborative or competitive scenarios.
Details
*******
Multiple Linked XSS vulnerabilities were found in SAP Cfolders engine. Any user can cheat a vulnerable link
and steal user's or Administrator's cookie.
He can do this using 3 Linked XSS vulnerabilities.
1. 1. A linked XSS was found on the col_table_filter.htm page. Vulnerable parameter "p_current_role"
Example:
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/col_table_filter.htm?p_current_role=aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>
2. A linked XSS was found on the me_ov.htm page. Vulnerable parameter - "p_current_role"
Example:
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm?p_current_role= aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>
Fix Information
***************
The issue has been solved. See SAP note 1292875.
References:
***********
SAP note 1292875
https://service.sap.com/sap/support/notes/1292875
About
*****
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.dsec.ru
|
|
 |
 |
 |
 |
|
|
|
