SAP Cfolders Multiple Linked XSS Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, packet@xxxxxxxxxxxxxxxxxxxxxxx
Subject: SAP Cfolders Multiple Linked XSS Vulnerabilities
From: "Digital Security Research Group [DSecRG]" <research@xxxxxxxxxx>
Date: Wed, 22 Apr 2009 03:47:01 +0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Digital Security
Reply-to: "CTac C." <research@xxxxxxxxxx>

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-021

Original advisory: http://dsecrg.com/pages/vul/show.php?id=121

Application: SAP Cfolders (SAP SRM, SAP ECC, SAP Knowledge
Management and SAP NetWeaver cRooms (collaboration rooms))
Vendor URL: http://SAP.com
Bugs: Multiple Liked XSS
Risk: Hight
Exploits: YES
Reported: 12.01.2009
Vendor response: 13.01.2009
patched: 21.01.2009
Date of Public Advisory: 21.04.2009
Reference: SAP note 1292875
Author: Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)

Description
***********

cFolders (Collaboration Folders) is the SAP web-based application for
collaborative sharing of information.
cFolders is part of a suite of applications powered by SAP® NetWeaver™ that
integrate project management,
knowledge management and resource management in collaborative inter-enterprise
and intra-enterprise
environments.

cFolders is integrated to SAP ECC, SAP Product Lifecycle
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge
Management and SAP
NetWeaver™ cRooms (collaboration rooms). Virtual teams can access, view online,
subscribe for changes, and
redline documents and product information. Partners and suppliers can interact
with cFolders in predefined
collaborative or competitive scenarios.

Details
*******

Multiple Linked XSS vulnerabilities found in SAP Cfolders engine. Any user can
cheate a vulnerable link
and steal user's or administrator's cookie.

He can do this using 3 Linked XSS vulnerabilities.

1. Linked XSS found in col_table_filter.htm page. Vulnerable parameter
"p_current_role"

Example:
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/col_table_filter.htm?p_current_role=aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>

2. Linked XSS found in me_ov.htm page. Vulnerable parameter "p_current_role"

Example:
https://sapserver/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm?p_current_role=
aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>

Fix Information
***************

The issue has been solved. See SAP note 1292875.

References:
***********

SAP note 1292875

https://service.sap.com/sap/support/notes/1292875

About
*****

Digital Security is leading IT security company in Russia, providing
information security consulting, audit and penetration testing services, risk
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and
PCI DSS standards. Digital Security Research Group focuses on web application
and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.dsec.ru

Prev by Date: CORE-2009-0114 - HTTP Response Splitting vulnerability in Sun Delegated Administrator
Next by Date: SAP Cfolders Multiple Stored XSS Vulnerabilies
Previous by thread: CORE-2009-0114 - HTTP Response Splitting vulnerability in Sun Delegated Administrator
Next by thread: SAP Cfolders Multiple Stored XSS Vulnerabilies
Index(es):
- Date
- Thread