SAP Internet Communication Framework (BC-MID-ICF) Vulnerability

2007.07.03
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # Product: Internet Communication Framework (BC-MID-ICF) # Vendor: SAP # Subject: Multiple XSS, HTML Injection # Risk: High # Effect: Remotely exploitable # Author: Cyrill Brunschwiler (cyrill.brunschwiler (at) csnc (dot) ch [email concealed]) # Date: June, 17th 2007 # ############################################################# Introduction: ------------- Compass Security discovered multiple web application security flaws in the SAP Internet Communication Framework (BC-MID-ICF). Vulnerable: ----------- SAP Basis component 640 SP19 and lower SAP Basis component 700 SP11 and lower Not vulnerable: --------------- Customers which registered a customized login error page for SIFC transactions (e.g. for default_host) may not suffer this vulnerability. SAP Basis component 640 SP20 SAP Basis component 700 SP12 Vulnerability Management: ------------------------- October 2006: Vulnerability found October 2006: SAP Security notified November 2007: SAP confirmation April/May 2007: Patches available June 2007: Compass Security Information SAP Information Policy: ------------------------- The information is available to registered SAP clients only (SAP Security Notes) Patches: -------- Available at SAP (See SAP Note No. 1022102). Description ----------- The default login error page reflects unfiltered user input for multiple fields. Exploting the vulnerability will lead to so-called cross-site scripting (XSS). XSS Ref: http://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top