[ERPSCAN-16-008] SAP NetWeaver 7.4 (ProxyServer servlet) – XSS vulnerability

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.4
Vendor URL: SAP
Bugs: Cross Site Scripting (XSS)
Reported: 10.08.2015
Vendor response: 11.08.2015
Date of Public Advisory: 09.02.2016
Reference: SAP Security Note 2220571
Author: Vahagn Vardanyan (ERPScan)

Class: [CWE-79]
Impact: XSS on SAP NetWeaver AS JAVA
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-2387

CVSS Information
CVSS Base Score v3: 6.1/10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Low (L)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality Low(L)
I : Impact to Integrity Low(L)
A : Impact to Availability None (N)

Anonymous attacker can use a special HTTP request to hijack session data of administrators or users of the web resource.

Business risk
An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
Reflected XSS feature is the necessity of tricking a user from an attackers’ side. The malicious person must make user follow a specially crafted link. Speaking about stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions.
The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with the site. The attacker can gain access to user’s session and learn business-critical information, in some cases, it is possible to get control over this information. Also, XSS allows unauthorized modifying of displayed site content.

SAP NetWeaver AS JAVA 7.4

To correct this vulnerability, install SAP Security Note 2220571

PoC 1

PoC 2