menupral Home :: Mapa Web :: Buscar go
menupral
COMPAÑÍA
SERVICIOS
PRODUCTOS
I+D+i
PARTNERS
CONTACTAR

SAP Netweaver 6.40-7.0 Cross-Site-Scripting

Reported by:
Jaime Blasco from Aitsec Information Technology Security - jaime.blasco@aitsec.com

Description:
SAP Netweaver have a web interface for accesing filesystem of the portal, users can make "feedbacks" of files, input passed to the content of these feedbacks is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site

Solution:
This issue can be solved activating "Secure Editing" in Portal (System Configuration -> System Configuration -> Knowledge management (in detailed Navigation) -> Utilities -> Editing -> HTML Editing)
NetWeaver 04 (6.40) SP17

NetWeaver 7.0 SP8

As of NetWeaver 7.0 SP15 the secure editor is on by default (SAP note 1110597)

Timeline:
* March 11: Initial contact.
* March 12: Confirmed
* April 5: Vendor response

Prensa/Eventos
Ver todas las NOTICIAS
Aitsec Servicios Informáticos S.L © 2007 | Todos los derechos reservados | Aviso Legal