Flaw opens SAP Web Application Server to phishing scams

Robert Westervelt, News Editor
A South American security firm has discovered multiple vulnerabilities in the SAP Web Application Server that could be exploited to conduct a phishing scam and cross-site scripting attacks.

The flaws were discovered in versions 6.10, 6.20, 6.40 and 7.00, and affect the business service provider (BSP) runtime of the Web application server.

The firm that discovered the vulnerabilities, Cybsec SA, which has offices in Panama, Ecuador and Argentina, has given the flaws medium to high threat classifications. SAP was notified in September and had a patch developed last month. The patch is being released this week in coordination with the advisory, according to Leandro Meiners, a Cybsec researcher who discovered the flaws.

    Requires Free Membership to View

Topic center:
SAP security

"SAP Web Application Server was found to be vulnerable to JavaScript injection, allowing for cross-site scripting attacks," Meiners wrote in a public advisory.

Left open, the flaws could allow an attacker to execute arbitrary HTML and script code in a user's browser. Users could be tricked into visiting a malicious Web site by following a link with a trusted host name, according to Cybsec.

The link "will logout the user from the application (sap-sessioncmd=close), even if not logged in, and redirect to the attacker site," Meiners said.

A partial fix to the vulnerabilities can be found in SAP Note 887323, which indicates which service packs to apply, according to Cybsec.

SAP is also advising customers in SAP Note 887322, to disable the sap-exiturl parameter in older 6.10 releases and 6.20 prior to service pack 54. In newer 6.20 and 7.00 releases, the parameter will be submitted to a customer-configured white list, according to the Cybsec advisory.

Cybsec SAP advisories:

  • Security advisory: Multiple XSS in SAP WAS
  • Security advisory: Phishing Vector in SAP WAS
  • Security advisory: HTTP Response Splitting in SAP WAS
  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: