SAP UI5 1.0.0 is vulnerable to Content Spoofing in multiples parameters

2019.05.27

Rafael Fontes Souza (BR)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

> [Suggested description]
> SAPUI5 1.0.0 is vulnerable to Content Spoofing in multiples parameters.
> 
> ------------------------------------------
> 
> [Additional Information]
> https://imgur.com/a/EUf4KN3
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> Content Spoofing
> 
> ------------------------------------------
> 
> [Vendor of Product]
> SAP
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> SAPUI5 - 1.0.0
> 
> ------------------------------------------
> 
> [Affected Component]
> SAPUI5 1.0.0 
> 
> PoC:
> https://sapmobile.target.com/sap/opu/odata/UI2/INTEROP/PersContainers(category='P',id='flp.settings.FlpSettings')?$expand=PersContainerItemsu1kpa_HACKED_&sap-cache-id=D49C673A8D0D275477C7CD1FBFA3EE31
> 
> ------------------------------------------
> 
> [Attack Type]
> Remote
> 
> ------------------------------------------
> 
> [Attack Vectors]
> https://imgur.com/a/EUf4KN3
> 
> ------------------------------------------
> 
> [Reference]
> https://capec.mitre.org/data/definitions/148.html
> 
> ------------------------------------------
> 
> [Discoverer]
> Offensive0Labs - Rafael Fontes Souza

References:

PoC:

https://imgur.com/a/EUf4KN3

Em ter, 27 de nov de 2018 às 04:44, Secure@sap.com <Secure@sap.com> escreveu: Hi Rafael, You will receive credits on our acknowledgement page. You can find more about SAP disclosure guidelines here :

https://wiki.scn.sap.com/wiki/display/PSR/Disclosure+Guidelines+for+SAP+Security+Advisories

Regards, Ruchika Singh mailto:secure@sap.com Public PGP key:

https://www.sap.com/dmc/policies/pgp/keyblock.txt

www.sap.com Mandatory Disclosure Statements:

http://www.sap.com/company/legal/impressum.epx

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SAP UI5 1.0.0 is vulnerable to Content Spoofing in multiples parameters

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.