Services Vulnerabilities Exploits Publications News Blog About DSecRG

[DSECRG-09-021] SAP Cfolders Multiple Linked XSS Vulnerabilities

Multiple Linked XSS vulnerabilities were found in SAP Cfolders engine. An attacker can create a vulnerable link
and steal user's or Administrator's cookie.

Application: SAP Cfolders (SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms (collaboration rooms))
Vendor URL:
Bugs: Multiple Liked XSS
Risk: Hight
Exploits: YES
Reported: 12.01.2009
Vendor response: 13.01.2009
patched: 21.01.2009
Date of Public Advisory: 21.04.2009
Reference: SAP note 1292875
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)


cFolders (Collaboration Folders) is the SAP web-based application for collaborative sharing of information.
cFolders is part of a suite of applications powered by SAP® NetWeaver™ that integrates project management,
knowledge management and resource management in collaborative inter-enterprise and intra-enterprise

cFolders is integrated to SAP ECC, SAP Product Lifecycle
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge Management and SAP
NetWeaver™ cRooms (collaboration rooms). Virtual teams can access, view on-line, subscribe for changes, and
redline documents and product information. Partners and suppliers can interact with cFolders in predefined
collaborative or competitive scenarios.


Multiple Linked XSS vulnerabilities were found in SAP Cfolders engine. Any user can cheat a vulnerable link
and steal user's or Administrator's cookie.

He can do this using 3 Linked XSS vulnerabilities.

1. 1. A linked XSS was found on the col_table_filter.htm page. Vulnerable parameter "p_current_role"


2. A linked XSS was found on the me_ov.htm page. Vulnerable parameter - "p_current_role"

https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm?p_current_role= aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>

Fix Information
The issue has been solved. See SAP note 1292875.

SAP note 1292875


Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact: research [at] dsecrg [dot] com

Vulnerabilities RSS RSS
[DSECRG-12-019] vCenter Orchestrator - password disclosure

[DSECRG-12-018] Oracle Application Server - multiple security vulnerabilities

[DSECRG-12-017] ASUS Net4Switch ipswcom.dll ActiveX - buffer overflow vulnerability

[DSECRG-12-016] SAP MessagingSystem - information disclosure

[DSECRG-12-014] SAP Internet Sales - XSS

[DSECRG-12-015] SAP Adapter Monitor - information disclosure

Vulnerabilities list

© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail:
Rss: Vulnerabilities, Exploits, News, Publications, Summary