[ERPSCAN-12-051] SAP NetWeaver MMC – CSRF
Application: SAP NetWeaver
Vendor URL: http://www.sap.com
Date of Public Advisory:13.11.2012
Reference: SAP Security Note 1734986
Author: Alexey Tyurin (ERPScan)
It is possible to execute commands in SAP system via cross-site request forgery attack on Management Console.
An attacker can use CSRF vulnerability by sending a link on malicious page to an unaware user via e-mail, messaging or social networks. The end user browser has no way to know that the page should not be trusted, and will execute the script. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by victim.