Flaw opens SAP Web Application Server to phishing scams

SAP is issuing a patch for multiple vulnerabilities discovered in its Web Application Server that can expose users to phishing scams.

A South American security firm has discovered multiple vulnerabilities in the SAP Web Application Server that could be exploited to conduct a phishing scam and cross-site scripting attacks.

The flaws were discovered in versions 6.10, 6.20, 6.40 and 7.00, and affect the business service provider (BSP) runtime of the Web application server.

The firm that discovered the vulnerabilities, Cybsec SA, which has offices in Panama, Ecuador and Argentina, has given the flaws medium to high threat classifications. SAP was notified in September and had a patch developed last month. The patch is being released this week in coordination with the advisory, according to Leandro Meiners, a Cybsec researcher who discovered the flaws.

Topic center:
SAP security

"SAP Web Application Server was found to be vulnerable to JavaScript injection, allowing for cross-site scripting attacks," Meiners wrote in a public advisory.

Left open, the flaws could allow an attacker to execute arbitrary HTML and script code in a user's browser. Users could be tricked into visiting a malicious Web site by following a link with a trusted host name, according to Cybsec.

The link "will logout the user from the application (sap-sessioncmd=close), even if not logged in, and redirect to the attacker site," Meiners said.

A partial fix to the vulnerabilities can be found in SAP Note 887323, which indicates which service packs to apply, according to Cybsec.

SAP is also advising customers in SAP Note 887322, to disable the sap-exiturl parameter in older 6.10 releases and 6.20 prior to service pack 54. In newer 6.20 and 7.00 releases, the parameter will be submitted to a customer-configured white list, according to the Cybsec advisory.

Cybsec SAP advisories:

  • Security advisory: Multiple XSS in SAP WAS
  • Security advisory: Phishing Vector in SAP WAS
  • Security advisory: HTTP Response Splitting in SAP WAS
  • Dig deeper on SAP security administration

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchManufacturingERP

    SearchOracle

    SearchDataManagement

    SearchAWS

    SearchBusinessAnalytics

    SearchCRM

    SearchContentManagement

    SearchFinancialApplications

    Close