[ERPSCAN-17-044] XSS in SAP NetWeaver AS Java SRM

Application: SAP SRM
Versions Affected: SAP SRM 701 – 714
Vendor URL: SAP
Bug: XSS
Reported: 17.05.2017
Vendor response: 18.05.2017
Date of Public Advisory: 08.08.2017
Reference: SAP Security Note 2493099
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: XSS
Risk: Medium
Impact: Session hijacking
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS Base Score v3: 6.1 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) Required (R)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityNone (N)

DESCRIPTION

An attacker can use a special HTTP request to hijack session data of administrators of the web resource.

BUSINESS RISK

An attacker can use a Cross-Site Scripting vulnerability for injecting a malicious script into a page. Reflected XSS feature is the necessity of tricking a user from an attacker’s side – he or she must make the user follow a specially crafted link. Speaking about stored XSS, the malicious script is injected and permanently stored in a page body, this way the user is attacked without performing any actions. The malicious script can access all cookies, session tokens, and other critical information stored by the browser and used for the interaction with a site. The attacker can gain access to the user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also, XSS can be used for unauthorized modification of the displayed site content.

VULNERABLE PACKAGES

SRM_SERVER 701, 702, 713, 714

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2493099

TECHNICAL DESCRIPTION

The vulnerable JSP is attached in this report.

Proof of Concept