SAP NetWeaver Multiple Vulnerabilities


Description   Digital Security Research Group has reported some vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users and malicious people to disclose sensitive information.
1) Input passed via the "logfilename" parameter to b2b/admin/log_view.jsp or b2b/admin/log.jsp in the Internet Sales module is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences.
2) Input passed via the "logfilename" parameter to ipc/admin/log.jsp or ipc/admin/log_view.jsp is not properly verified before being used to display files. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences.
Successful exploitation of vulnerabilities #1 and #2 may require permission to view logs.
3) Input passed via the "_loadPage" parameter to b2b/auction/container.jsp in the Internet Sales module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
4) An error within the com.sap.aii.mdt.amt.web.AMTPageProcessor servlet can be exploited to disclose certain Adapter Monitor information.
5) An error within the MessagingSystem servlet can be exploited to disclose certain MessagingSystem Performance Data information.
The vulnerabilities are reported in version 7.0. Other versions may also be affected.
     
Vulnerable Products   Vulnerable Software:
SAP NetWeaver 7.x
     
Solution   Apply SAP Security Notes 1585527 and 1583300.
     
CVE   CVE-2012-1292
CVE-2012-1291
CVE-2012-1290
CVE-2012-1289
     
References   Digital Security Research Group:
http://dsecrg.com/pages/vul/show.php?id=412
http://dsecrg.com/pages/vul/show.php?id=413
http://dsecrg.com/pages/vul/show.php?id=414
http://dsecrg.com/pages/vul/show.php?id=415
http://dsecrg.com/pages/vul/show.php?id=416
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
Misc : Directory traversal - parameter starting with ../
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
Directory traversal using ..\..
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
Directory traversal
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
Directory traversal backward root folder
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2012-02-21 

 Target Type 
Server 

 Possible exploit 
Remote