[ERPSCAN-12-049] SAP Netweaver CCMS – XML External Entity

DSECRG Advisories

Application: SAP NetWeaver ABAP
Versions Affected: SAP NetWeaver ABAP
Vendor URL: http://www.sap.com
Bugs: XML External Entity
Exploits: YES
Reported: 07.12.2011
Vendor response: 08.12.2011
Date of Public Advisory: 13.11.2012
Reference: SAP Security Note 1715040
Authors: Alexey Tyurin (ERPScan)

SAP NetWeaver CCMS XML parser validates all incoming XML requests with user specified DTD.

Business Risk
It is possible for attackers to send any packets to any port of any system including localhost. It means that it is possible, for example, to send any administrative command to Gateway or Message server because the source of the packet will be localhost, and there is no restrictions for localhost. Another example is an attack on other interfaces.