[ERPSCAN-16-004] SAP NetWeaver 7.4 (Pmitest servlet) – XSS vulnerability
Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.4
Vendor URL: http://www.sap.com
Vendor response: 02.09.2015
Date of Public Advisory: 12.01.2016
Reference: SAP Security Note 2234918
Author: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION Class: Cross-Site Scripting, XSS [CWE-79] Impact: information disclosure Remotely Exploitable: Yes Locally Exploitable: No
CVSS Information CVSS Base Score: 4.3 / 10 CVSS Base Vector:
|AV : Access Vector (Related exploit range)||Network (N)|
|AC : Access Complexity (Required attack complexity)||Medium (M)|
|Au : Authentication (Level of authentication needed to exploit)||None (N)|
|C : Impact to Confidentiality||None (N)|
|I : Impact to Integrity||Partial (P)|
|A : Impact to Availability||None (N)|
An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
Reflected XSS feature is the necessity of tricking a user from an attackers’ side – he must make user follow a specially crafted link. Speaking about stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions.
The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with the site. An attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed site content.
SAP NetWeaver J2EE Engine 7.40
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2234918
PMI can be abused by an attacker allowing them to modify displayed application content and to potentially obtain authentication information of other legitimate users.
Anonymous attacker can use special HTTP request to hijack session data of administrators or users of the web resource.
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: