SAP Cfolders Multiple Stored XSS Vulnerabilies

["Digital Security Research Group [DSecRG]" <research@xxxxxxxxxx>]

Digital Security Research Group [DSecRG] Advisory       #DSECRG-09-014

Original advisory: http://dsecrg.com/pages/vul/show.php?id=114

Application:                    SAP Cfolders (included in: SAP SRM, SAP ECC, 
SAP Knowledge Management and SAP NetWeaver cRooms)
Vendor URL:                     http://SAP.com
Bugs:                           Multiple Stored XSS
Risk:                           Hight
Exploits:                       YES
Reported:                       04.12.2008
Vendor response:                05.12.2008
Vulnerability patched:          15.12.2008
Date of Public Advisory:        21.04.2009
Reference:                      SAP note 1284360
Author:                         Digital Security Research Group [DSecRG] 
(research [at] dsec [dot] ru)



Description
***********


cFolders (Collaboration Folders) is the SAP web-based  application for 
collaborative sharing of information. 
cFolders is part of a suite of applications powered by SAP NetWeaver that 
integrate project management, 
knowledge management and resource management in collaborative inter-enterprise 
and intra-enterprise 
environments. 

cFolders is integrated to SAP ECC, SAP Product Lifecycle 
Management (PLM), SAP Supplier Relationship Management (SRM), SAP Knowledge 
Management and SAP 
NetWeaver cRooms (collaboration rooms). Virtual teams can access, view online, 
subscribe for changes, and 
redline documents and product information. Partners and suppliers can interact 
with cFolders in predefined 
collaborative or competitive scenarios. 



Details
*******

Multiple Stored XSS vulnerabilities found in SAP Cfolders engine. User which is 
a business partner of 
organization can steal Administrators cookie by inserting javascript into 
CFolders system.
He can do this using 2 Stored XSS vulnerabilities.

SAP Server dont associate session identificators with users IP adress or with 
any other additional data.
IT autentificate users Only by cookies. So any user which can steal 
administrators cookie can use them to authentificate with administrator rights.


1. User can insert javascript code into site using  link creation option 

He can inject javascript code into LINK field on page

https://[site]/sap/bc/bsp/sap/cfx_rfc_ui/hyp_de_create.htm


example LINK value:

http://test.com"; onmouseover="alert(document.cookie)">

Then when administrator will browse for user folders script will execute. 


2. Second XSS vulnerability found in document uploading area.
User can create a document with file name included javascript code.


example filename value:

aaaa"><script>alert()</script>.doc

To do this user must change file name in http request when sending a request 
for file uploading.

So using this vulnerability user can steal cookie like he do in first example.



Fix Information
***************

The issue has been solved. See SAP note 1284360.


References:
***********

SAP note 1284360

https://service.sap.com/sap/support/notes/1284360



About
*****

Digital Security is leading IT security company in Russia, providing 
information security consulting, audit and penetration testing services, risk 
analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and 
PCI DSS standards. Digital Security Research Group focuses on web application 
and database security problems with vulnerability reports, advisories and 
whitepapers posted regularly on our website.


Contact:        research [at] dsecrg [dot] com
                http://www.dsecrg.com 
                http://www.dsec.ru