‘SAP WebAS ITS Mobile Test Service Multiple Vulnerabilities’
‘The information has been provided by Mariano Nu ez Di Croce.
The original article can be found at: http://seclists.org/bugtraq/2011/Apr/281‘
* SAP BASIS 640
* SAP BASIS 700-702
* SAP BASIS 710-730
It has been detected that the ITS Mobile Test service suffers from input validation vulnerabilities and design weaknesses, which can be exploited toperform XSS and arbitrary redirects attacks.
Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.
Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability.
SAP has released SAP Note 1512134 which provides patched versions of the affected components.
The patches can be downloaded from
2010-09-22: Vulnerability information to SAP.
2010-09-23: SAP confirms reception of vulnerability submission.
2011-01-11: SAP releases security patches.
2011-04-19: Security advisory to security mailing lists.’