SAP Web Application Server中frameset.htm的HTTP响应拆分漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197321 漏洞类型 输入验证
发布时间 2005-11-16 更新时间 2005-11-23
CVE编号 CVE-2005-3633 CNNVD-ID CNNVD-200511-201
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2005110026
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-201
|漏洞详情
SAPWebApplicationServer是一款WEB应用服务程序。SAPWebApplicationServer(WAS)6.10至7.00的frameset.htm中的HTTP响应拆分漏洞,可让远程攻击者通过sap-exiturl参数注入任意HTML头。
|漏洞EXP
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitt
ing_in_SAP_WAS.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: HTTP Response Splitting in SAP WAS (Web Application
Server)

Vulnerability Class: HTTP Response Splitting

Release Date: 11/09/2005

Affected Applications:  
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: High

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
Server is a crucial component of mySAP® Technology platform as it serves
as the underlying infrastructure for many SAP solutions (for example,
SAP Portal).

SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web
services.

The vulnerability discovered only applies to the BSP runtime of SAP WAS.

Vulnerability Description:
==========================

SAP Web Application Server was found to be vulnerable to HTTP Response
Splitting, in the parameter sap-exiturl. For further reference regarding
HTTP Response Splitting see the whitepaper "HTTP Response Splitting, Web
Cache Poisoning Attacks, and Related Topics" (available at:
http://www.packetstormsecurity.org/papers/general/whitepaper_httprespons
e.pdf)

Exploit (PoC):
==============

If the string "%0a%0dHeader:+Value" is passed (omitting the double
quotes) as the value for the parameter sap-exiturl the string "Header:
value" (without the double quotes) is considered as another HTTP header,
indicating the presence of the vulnerability.

Solutions:
==========

The solution, provided by SAP, is to disable support for the parameter
in older 6.10 releases as well as SP's in 6.20 prior to SP54. For new
6.20 and 7.00 releases the sap-exiturl parameter will be submitted to a
customer configured white-list. For further information see SAP Note
887322.

Vendor Response:
================

* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com

----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners (at) cybsec (dot) com [email concealed]
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index
|参考资料

来源:XF
名称:sap-sapexiturl-response-splitting(23030)
链接:http://xforce.iss.net/xforce/xfdb/23030
来源:SECTRACK
名称:1015174
链接:http://www.securitytracker.com/alerts/2005/Nov/1015174.html
来源:BID
名称:15360
链接:http://www.securityfocus.com/bid/15360/
来源:SECUNIA
名称:17515
链接:http://secunia.com/advisories/17515/
来源:BUGTRAQ
名称:20051109CYBSEC-SecurityAdvisory:HTTPResponseSplittinginSAPWAS
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113156438708932&w=2
来源:BUGTRAQ
名称:20051109CYBSEC-SecurityAdvisory:HTTPResponseSplittinginSAPWAS
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113156438708932&w=2
来源:OSVDB
名称:20714
链接:http://www.osvdb.org/20714
来源:VUPEN
名称:ADV-2005-2361
链接:http://www.frsirt.com/english/advisories/2005/2361
来源:MISC
链接:http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf
来源:SREASON
名称:164
链接:http://securityreason.com/securityalert/164