Vigil@nce: SAP NetWeaver, Cross Site Scripting of Web Services Navigator
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a Cross Site Scripting in SAP J2EE Web
Services Navigator, in order to execute script in the web context
of a user visiting the site.
– Severity: 2/4
– Creation date: 21/07/2010
– Revision date: 23/07/2010
DESCRIPTION OF THE VULNERABILITY
The SAP NetWeaver platform is based on the SAP J2EE engine. The
Web Services Navigator (wsnavigator ) interface provides the
interaction between J2EE Web Services.
The "title" parameter of the /wsnavigator/jsps/explorer/help.jsp
page is not correctly filtered. A Cross Site Scripting then
impacts the SAP_JTECHS component of Web Services Navigator.
An attacker can therefore generate a Cross Site Scripting in SAP
J2EE Web Services Navigator, in order to execute script in the web
context of a user visiting the site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SAP-NetWeaver-Cross-Site-Scripting-of-Web-Services-Navigator-9779