Sense of Security – Security Advisory – SOS-14-005
| Release Date. | 14-Dec-2014 |
| Last Update. | – |
| Vendor Notification Date. | 24-Jun-2014 |
| Product. | SAP NetWeaver Business Client for HTML 3.0 |
| Platform. | SAP NetWeaver Business Client for HTML 3.0 |
| Affected versions. | – |
| Severity Rating. | Medium |
| Impact. | Manipulation of data |
| Attack Vector. | Remote without authentication |
| Solution Status. | Workaround |
| CVE reference. | – |
Details.
Multiple cross-site scripting vulnerabilities were detected in the
SAP NetWeaver Business Client for HTML 3.0. NetWeaver Business Client
for HTML 3.0 can be abused by an attacker, allowing them to modify
displayed application content without authorisation, and to potentially
obtain authentication information from other legitimate users. SAP has
released a security notes and a workaround solution to mitigate the
vulnerabilities.
Exploits and Tools.
1 – https://customer.com/vendor/~testcanvas/?title=[Cross-site Scripting
Data]&flags=&roundtrips=1+&sap-accessibility=&as_fid=nTEgMjp9nblZhLohXjDE
2- https://customer.com/vendor/~testcanvas/?title=&flags=&roundtrips=
[Cross-site Scripting Data]
Solution.
NetWeaver Business Client for HTML 3.0 was never officially released
for SAP_BASIS 720. Therefore it needs to be deactivated there.
Start the ABAP transaction SICF.
On the initial screen search for the service name “nwbc”.
On the result page click on any of the listed NWBC nodes and deactivate
them – via the context menu (“Disable Service”) or via main menu
(Service/host –> Disable).
Discovered by.
Fatih Ozavci from Sense of Security Labs.