[Full-disclosure] CYBSEC - Security Advisory: Multiple XSS in SAP WAS
lmeiners at cybsec.com
Wed Nov 9 13:11:22 GMT 2005
(The following advisory is also available in PDF format for download at:
Advisory Name: Multiple XSS in SAP WAS (Web Application Server)
Vulnerability Class: Cross-Site Scripting
Release Date: 11/09/2005
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00
Local / Remote: Remote
Author: Leandro Meiners.
* Confirmed, patch released.
Reference to Vulnerability Disclosure Policy:
SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
Server is a crucial component of mySAP® Technology platform as it serves
as the underlying infrastructure for many SAP solutions (for example,
SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web
The vulnerability discovered only applies to the BSP runtime of SAP WAS.
injection, allowing for Cross-Site Scripting attacks. Three different
vectors for script injection where discovered:
* Error Pages (in error messages displayed) (SAP WAS 6.20 and above not
* The syscmd parameter
* SYSTEM PUBLIC (Test Application)
Following is a Proof of Concept for each script injection vector:
* Error Pages:
* The syscmd parameter:
* Test Application (SYSTEM PUBLIC):
For solutions regarding Error Pages and the syscmd parameter as attack
vectors please see SAP Note 887323, which indicates Service Packs to
For solutions regarding SYSTEM PUBLIC Test Application please see SAP
Note 887164 which lists all test applications that shouldn't be
activated on production systems. Regarding XSS issues the BSP compiler
has been extended to have a new forceEncode="HTML" page directive, for
more information see SAP Note 887168. This new feature will be applied
to test applications in the next SP cycle. All test applications should
always be removed from production systems, customers can use transaction
SMICM to disable the test applications.
* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.
Special thanks go to Mariano Nuñez Di Croce.
For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.
For more information regarding CYBSEC: www.cybsec.com
CYBSEC S.A. Security Systems
E-mail: lmeiners at cybsec.com
Tel/Fax: [54-11] 4382-1600
Full-Disclosure is hosted and sponsored by Secunia.