14 Dec Security Advisory – SOS-14-005 – SAP NetWeaver Business Client for HTML Cross-site Scripting Vulnerabilities
Release Date: 14-Dec-2014
Last Update: –
Vendor Notification Date: 24-Jun-2014
Product: SAP NetWeaver Business Client for HTML 3.0
Affected versions: SAP NetWeaver Business Client for HTML 3.0
Severity Rating: Medium
Impact: Manipulation of data
Attack Vector: Remote without authentication
Solution Status: Workaround
CVE reference: –
Multiple cross-site scripting vulnerabilities were detected in the SAP NetWeaver Business Client for HTML 3.0. The NetWeaver Business Client for HTML 3.0 can be abused by an attacker, allowing them to modify displayed application content without authorisation, and to potentially obtain authentication information from other legitimate users. SAP has released security notes and a workaround solution to mitigate the vulnerabilities.
Please refer to the PDF version of this advisory for proof of concept code examples.
NetWeaver Business Client for HTML 3.0 was never officially released for SAP_BASIS 720. Therefore it needs to be deactivated there.
Start the ABAP transaction SICF.
On the initial screen search for the service name “nwbc”.
On the result page click on any of the listed NWBC nodes and deactivate them – via the context menu (“Disable Service”) or via main menu (Service/host –>
Fatih Ozavci from Sense of Security Labs.