[ERPSCAN-17-002] SAP NetWeaver AS JAVA XSS in portal app component

Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver AS Java RTC 7.0-7.3
Vendor URL: SAP
Bugs: XSS
Reported: 22.04.2016
Vendor response: 23.04.2016
Date of Public Advisory: 10.01.2017
Reference: SAP Security Note 2341302
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: XSS
Impact: modify displayed content from a Web application, steal authentication information of a user
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS Base Score v3: 6.1 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) Required (R)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to Availability None(N)

Description

An attacker can use a special HTTP request to hijack session data of administrators or users of the web resource.

Business risk

The XSS vulnerability allows an attacker

  • to damage or modify displayed content from a Web application;
  • to steal the user’s authentication information (e.g., data relating to his or her current session);
  • to impersonate the user to get access to all information with the same rights as the target user.

VULNERABLE PACKAGES

RTC 7.00
RTC 7.01
RTC 7.02
RTC 7.30

Other versions are probably affected too, they were not checked.

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2341302.

TECHNICAL DESCRIPTION

Proof of Concept