SAP NetWeaver Multiple Input Validation Vulnerabilities
BID:52101
Info
SAP NetWeaver Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 52101 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-1289 CVE-2012-1290 CVE-2012-1291 CVE-2012-1292 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 21 2012 12:00AM |
| Updated: | Feb 27 2012 08:40PM |
| Credit: | Dmitriy Chastukhin of Digital Security Research Group. |
| Vulnerable: |
SAP NetWeaver 7.0 |
| Not Vulnerable: | |
Discussion
SAP NetWeaver Multiple Input Validation Vulnerabilities
SAP NetWeaver is prone to multiple input-validation vulnerabilities, including:
1. A cross-site scripting vulnerability
2. Multiple directory traversal vulnerabilities
3. Multiple information-disclosure vulnerabilities
Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible.
SAP NetWeaver is prone to multiple input-validation vulnerabilities, including:
1. A cross-site scripting vulnerability
2. Multiple directory traversal vulnerabilities
3. Multiple information-disclosure vulnerabilities
Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible.
Exploit / POC
SAP NetWeaver Multiple Input Validation Vulnerabilities
An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
An attacker can exploit these issues through a browser. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
Solution / Fix
SAP NetWeaver Multiple Input Validation Vulnerabilities
Solution:
Vendor updates are available. Please see the references for more information.
Solution:
Vendor updates are available. Please see the references for more information.
References
SAP NetWeaver Multiple Input Validation Vulnerabilities
References:
References:
- [DSECRG-12-013] SAP Application Administration - local file read (DSECRG)
- [DSECRG-12-014] SAP Internet Sales - XSS (DSECRG)
- [DSECRG-12-015] SAP Adapter Monitor - information disclosure (DSECRG)
- [DSECRG-12-016] SAP MessagingSystem - information disclosure (DSECRG)
- SAP Homepage (SAP)
- [DSECRG-12-012] SAP NetWeaver Internet Sales - local file read (DSECRG)