[ERPSCAN-17-047] SAP NetWeaver AS Java logon_app OpenRedirect
Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver AS Java 7.11-7.50
Vendor URL: SAP
Bug: Open redirect
Vendor response: 19.01.2017
Date of Public Advisory: 08.08.2017
Reference: SAP Security Note 2423540
Author: Vahagn Vardanyan (ERPScan)
Class: Open redirect
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score v3: 4.3 / 10
CVSS Base Vector:
|AV: Attack Vector (Related exploit range)||Network (N)|
|AC: Attack Complexity (Required attack complexity)||Low (L)|
|PR: Privileges Required (Level of privileges needed to exploit)||None (N)|
|UI: User Interaction (Required user participation)||Required (R)|
|S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Unchanged (U)|
|C: Impact to Confidentiality||Low (L)|
|I: Impact to Integrity||None (N)|
|A: Impact to Availability||None (N)|
An Open Redirect vulnerability is identified in SAP NetWeaver AS Java. An attacker can redirect a victim to another untrusted site.
An attacker can use an Open Redirect vulnerability for redirecting a user to phishing or malicious sites while the user does not realize it. It is possible because an application takes a parameter and redirects the user to the parameter value without any validation.
J2EE-APPS 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2423540
In the servlet, you encod colon char (:) to %3a, and we can’t use http://evil.com or https://evil.com scheme for openredirect, but if we use, //evil.com can successfully bypass the security mechanism.
Proof of Concept
Open this URL
and press “Log On Again” button.