Exploitalert - Database of Exploits

Multiple XSS in SAP WAS

CVE	Category	Price	Severity
CVE-2021-21470	CWE-79	$2,500	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2005-11-18

CPE
cpe:cpe:/a:sap:web_application_server

CVSS	EPSS	EPSSP
CVSS:5.4/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	0.18442	0.54565

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope		S	An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality	Low	C	There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity	Low	I	Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability	None	A	There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.

http://cxsecurity.com/ascii/WLB-2005110024

(The following advisory is also available in PDF format for download at: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_ WAS.pdf ) CYBSEC S.A. www.cybsec.com Advisory Name: Multiple XSS in SAP WAS (Web Application Server) Vulnerability Class: Cross-Site Scripting Release Date: 11/09/2005 Affected Applications: * SAP WAS 6.10 * SAP WAS 6.20 * SAP WAS 6.40 * SAP WAS 7.00 Affected Platforms: * Platform-Independent Local / Remote: Remote Severity: Medium Author: Leandro Meiners. Vendor Status: * Confirmed, patch released. Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Product Overview: ================= SAP Web Application Server is an open standard-based platform for developing, and implementing Web applications. SAP Web Application Server is a crucial component of mySAP® Technology platform as it serves as the underlying infrastructure for many SAP solutions (for example, SAP Portal). SAP WAS provides a development infrastructure on which to develop, distribute, and execute platform-independent Web services and business applications. SAP Web Application Server supports ABAP, Java, and Web services. The vulnerability discovered only applies to the BSP runtime of SAP WAS. Vulnerability Description: SAP Web Application Server was found to be vulnerable to JavaScript injection, allowing for Cross-Site Scripting attacks. Three different vectors for script injection where discovered: * Error Pages (in error messages displayed) (SAP WAS 6.20 and above not Vulnerable) * The syscmd parameter * SYSTEM PUBLIC (Test Application) Exploit (Poc): ============== Following is a Proof of Concept for each script injection vector: * Error Pages: http://sap-was/sap/bc/BSp/sap/index.html%3Cscript%3Ealert('xss')% 3C/script%3E * The syscmd parameter: http://sap-was/sap/bc/BSp/sap/menu/fameset.htm?sap-sessioncmd=open&sap-s yscmd=%3Cscript%3Ealert('xss')%3C/script%3E * Test Application (SYSTEM PUBLIC): In BspApplication field it is possible to inject JavaScript code such as: "<script>alert('xss')</script>. Solutions: ========== For solutions regarding Error Pages and the syscmd parameter as attack vectors please see SAP Note 887323, which indicates Service Packs to apply. For solutions regarding SYSTEM PUBLIC Test Application please see SAP Note 887164 which lists all test applications that shouldn't be activated on production systems. Regarding XSS issues the BSP compiler has been extended to have a new forceEncode="HTML" page directive, for more information see SAP Note 887168. This new feature will be applied to test applications in the next SP cycle. All test applications should always be removed from production systems, customers can use transaction SMICM to disable the test applications. Vendor Response: ================ * 09/23/2005: Initial Vendor Contact. * 09/27/2005: Technical details for the vulnerabilities sent to vendor. * 10/14/2005: Solutions provided by vendor for all vulnerabilities. * 11/09/2005: Coordinate release of advisory. Thanks: ======= Special thanks go to Mariano Nu?ez Di Croce. Contact Information: ==================== For more information regarding the vulnerability feel free to contact the author at lmeiners<at>cybsec.com. For more information regarding CYBSEC: www.cybsec.com ---------------------------- Leandro Meiners CYBSEC S.A. Security Systems E-mail: lmeiners (at) cybsec (dot) com [email concealed] Tel/Fax: [54-11] 4382-1600 Web: http://www.cybsec.com PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index

Impressum