Cross-site- scripting flaws in SAP products
Cyrill Brunschwiler of Compass Security has reported bugs in several SAP products, which may be exploited for cross-site scripting attacks. The bugs reside in SAP's Web Dynpro Java and in the Internet Communication Framework.
If log-in fails, the Internet Communication Framework delivers a log-in error page which contains unsanitised user input. This reponse may be abused to conduct cross-site scripting attacks. If Web Dynpro Java runs in the testing or development mode, the NetWeaver application sends responses containing the user agent header without proper encoding. Attackers could exploit this vulnerability by using JavaScript or Flash to spoof the user agent.
Affected products include SAP NetWeaver Nw04 SP15 to SP 19, Nw04s SP7 to SP 11 and also SAP Basis components 640 SP20 and 700 SP12. For registered users, SAP provides patches to fix this vulnerability.
- Multiple XSS, HTML Injection in NetWeaver, Web Dynpro Java, security advisory by Compass Security
- Multiple XSS, HTML Injection in Internet Communication Framework, security advisory by Compass Security
(mba)