Services Vulnerabilities Exploits Publications News Blog About DSecRG


[DSECRG-09-021] SAP Cfolders Multiple Linked XSS Vulnerabilities

Multiple Linked XSS vulnerabilities were found in SAP Cfolders engine. An attacker can create a vulnerable link
and steal user's or Administrator's cookie.


Application: SAP Cfolders (SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms (collaboration rooms))
Vendor URL: http://SAP.com
Bugs: Multiple Liked XSS
Risk: Hight
Exploits: YES
Reported: 12.01.2009
Vendor response: 13.01.2009
patched: 21.01.2009
Date of Public Advisory: 21.04.2009
CVE-number:
Reference: SAP note 1292875
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)


Description
***********

cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information.
cFolders is part of a suite of applications powered by SAP® NetWeaver™ that integrates project management,
knowledge management and resource management in collaborative inter-enterprise and intra-enterprise
environments.

cFolders is integrated to SAP ECC, SAP Product Lifecycle
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP
NetWeaver™ cRooms (collaboration rooms). Virtual teams can access, view on-line, subscribe for changes, and
redline documents and product information. Partners and suppliers can interact with cFolders in predefined
collaborative or competitive scenarios.


Details
*******

Multiple Linked XSS vulnerabilities were found in SAP Cfolders engine. Any user can cheat a vulnerable link
and steal user's or Administrator's cookie.

He can do this using 3 Linked XSS vulnerabilities.


1. 1. A linked XSS was found on the col_table_filter.htm page. Vulnerable parameter "p_current_role"

Example:
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/col_table_filter.htm?p_current_role=aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>


2. A linked XSS was found on the me_ov.htm page. Vulnerable parameter - "p_current_role"


Example:
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm?p_current_role= aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>


Fix Information
***************
The issue has been solved. See SAP note 1292875.


References:
***********
SAP note 1292875

https://service.sap.com/sap/support/notes/1292875



About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.dsec.ru

Vulnerabilities RSS RSS
21.03.2012
[DSECRG-12-019] vCenter Orchestrator - password disclosure

22.02.2012
[DSECRG-12-018] Oracle Application Server - multiple security vulnerabilities

17.02.2012
[DSECRG-12-017] ASUS Net4Switch ipswcom.dll ActiveX - buffer overflow vulnerability

17.02.2012
[DSECRG-12-016] SAP MessagingSystem - information disclosure

17.02.2012
[DSECRG-12-014] SAP Internet Sales - XSS

17.02.2012
[DSECRG-12-015] SAP Adapter Monitor - information disclosure

Vulnerabilities list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search