‘SAP WebAS ITS Mobile Test Service Multiple Vulnerabilities’

Summary

Multiple Vulnerabilities were identifiedin SAP WebAS ITS Mobile Test Service.’

Credit:

‘The information has been provided by Mariano Nu ez Di Croce.
The original article can be found at: http://seclists.org/bugtraq/2011/Apr/281


Details

Vulnerable Systems:
 * SAP BASIS 640
 * SAP BASIS 700-702
 * SAP BASIS 710-730

It has been detected that the ITS Mobile Test service suffers from input validation vulnerabilities and design weaknesses, which can be exploited toperform XSS and arbitrary redirects attacks.

Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability.

Patch Availability:
SAP has released SAP Note 1512134 which provides patched versions of the affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1512134.

Disclosure Timeline:
2010-09-22: Vulnerability information to SAP.
2010-09-23: SAP confirms reception of vulnerability submission.
2011-01-11: SAP releases security patches.
2011-04-19: Security advisory to security mailing lists.’

Categories: News