Digital Security Research Group [DSecRG] Advisory #DSECRG-08-023 Application: SAP Web Application Server Versions Affected: Version 7.0 Vendor URL: http://SAP.com Bugs: XSS Exploits: YES Reported: 25.01.2008 Vendor response: 25.01.2008 Date of Public Advisory: 21.05.2008 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *********** SAP Web Application Server system has Linked XSS security vulnerability Details ******* Linked XSS vulnerability found in URL /sap/bc/gui/sap/its/webgui/ attacker can inject XSS in URL string also Web Dynpro ABAP and for BSP are vulnerable. Example: http://[server]:8000/sap/bc/gui/sap/its/webgui/aaaaaaa"><img/src=javascr ipt:alert('DSECRG_XSS')> --------------------------------------------------------------------- Fix Information *************** The issue has been solved in the ICF system login and as such it is not only relevant for the Web GUI, but also for Web Dynpro ABAP and for BSP Customers can download patches following the solution is documented in SAP note 1136770 About ***** Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsec [dot] ru http://www.dsec.ru