Release Date: 14-Dec-2014

Last Update: –

Vendor Notification Date: 24-Jun-2014

Product: SAP NetWeaver Business Client for HTML 3.0

Platform: –

Affected versions: SAP NetWeaver Business Client for HTML 3.0

Severity Rating: Medium

Impact: Manipulation of data

Attack Vector: Remote without authentication

Solution Status: Workaround

CVE reference: –

Details

Multiple cross-site scripting vulnerabilities were detected in the SAP NetWeaver Business Client for HTML 3.0. The NetWeaver Business Client for HTML 3.0 can be abused by an attacker, allowing them to modify displayed application content without authorisation, and to potentially obtain authentication information from other legitimate users. SAP has released security notes and a workaround solution to mitigate the vulnerabilities.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

NetWeaver Business Client for HTML 3.0 was never officially released for SAP_BASIS 720. Therefore it needs to be deactivated there.

Start the ABAP transaction SICF.

On the initial screen search for the service name “nwbc”.

On the result page click on any of the listed NWBC nodes and deactivate them – via the context menu (“Disable Service”) or via main menu (Service/host –>
Disable).

Discovered By

Fatih Ozavci from Sense of Security Labs.