In association with heise online

29 June 2007, 10:18

Cross-site- scripting flaws in SAP products

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Cyrill Brunschwiler of Compass Security has reported bugs in several SAP products, which may be exploited for cross-site scripting attacks. The bugs reside in SAP's Web Dynpro Java and in the Internet Communication Framework.

If log-in fails, the Internet Communication Framework delivers a log-in error page which contains unsanitised user input. This reponse may be abused to conduct cross-site scripting attacks. If Web Dynpro Java runs in the testing or development mode, the NetWeaver application sends responses containing the user agent header without proper encoding. Attackers could exploit this vulnerability by using JavaScript or Flash to spoof the user agent.

Affected products include SAP NetWeaver Nw04 SP15 to SP 19, Nw04s SP7 to SP 11 and also SAP Basis components 640 SP20 and 700 SP12. For registered users, SAP provides patches to fix this vulnerability.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit