[ERPSCAN-12-042] SAP NetWeaver SOAP RFC – CSRF

DSECRG Advisories

Application: SAP BASIS
Vendor URL: http://www.sap.com
Bugs: CSRF
Exploits: YES
Reported: 12.03.2011
Vendor response:13.03.2011
Date of SAP Security Note published: 14.08.2012
Date of Public Advisory:13.11.2012
Reference: SAP Security Note 1728500
Author: Alexey Tyurin (ERPScan)

It is possible to execute commands in a SAP system with the help of a cross-site request forgery attack on the RFC service.
For example, an attacker can create a new user in ABAP Engine or execute OS commands using RFC functions.

Business Risk
An attacker can use CSRF vulnerability by sending a link on malicious page to an unaware user via e-mail, messaging or social networks. The end user browser has no way to know that the page should not be trusted, and will execute the script. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by victim.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: