[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] SAP Hana Cloud 4 XSS
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] SAP Hana Cloud 4 XSS
- From: Shahmeer Baloch <shahmeerbond@xxxxxxxxx>
- Date: Tue, 26 Jan 2016 10:45:08 +0500
Greetings
Upon communication with the SAP team, i was told to send over the advisory
to you. Please read and revert
--
Kind Regards
Shahmeer Amir
Web Application Security Researcher
Network Security Analyst
SAP Hana Cloud Platform Cockpit Cross site Scripting Vulnerabilities
========================================================================
Vender:
SAP
Product:
SAP HANA CLoud
Vulnerability Type:
Cross site scripting
Title:
SAP Hana Cloud Cross scripting in User Display Name
Details:
SAP Hana cloud allows any user with the least privileges to input arbitrary
client side JS code into the Display Name parameter. Victim intervention is not
required for the successful as the code is stored and execute in the browser
upon viewing the victim's profile.
Note: All webpages of the domain are affected
Vulnerable Parameter:
SAP Hana Cloud User Account Display Name "Display Name"
Method:
POST
Exploit Code:
https://localhost/a/cockpit#/acc/[account-id]/accountmanagement
Post data
<name="Display Name" value="007"><img src=x onerror=prompt(document.cookie);>
Impact:
Since there is no requirement of Victim intervention, Session ID and data theft
may follow as well as possibility to
bypass CSRF protections, injection of iframes to establish communication
channels etc.
Severity Level:
Critical
------------------------------------------------------------------------
Vender:
SAP
Product:
SAP HANA CLoud
Vulnerability Type:
Cross site scripting
Title:
SAP Hana Cloud Cross site scripting in HTML5 Application Name
Details:
SAP Hana cloud allows users to input arbitrary client side JS code into the
HTML5 Application Name parameter. Victim intervention is not required for the
successful as the code is stored and execute in the browser upon user edition
of the HTML5 application
Vulnerable Parameter:
SAP Hana Cloud HTML5 Application Name "Application Name"
Method:
POST
Exploit Code:
https://localhost/a/cockpit#/acc/[account-id]/hcproxy
Post data
<name="Application Name" value="007"><img src=x
onerror=prompt(document.cookie);>
Impact:
Since there is no requirement of Victim intervention, Session ID and data theft
may follow as well as possibility to
bypass CSRF protections, injection of iframes to establish communication
channels etc.
Severity Level:
Critical
------------------------------------------------------------------------
Vender:
SAP
Product:
SAP HANA CLoud
Vulnerability Type:
Cross site scripting
Title:
SAP Hana Cloud Cross scripting in Database Repository Name
Details:
SAP Hana cloud allows users to input arbitrary client side JS code into the
Database Repository Name parameter. Victim intervention is not required for the
successful as the code is stored and execute in the browser upon user edition
of the Database Repo application
Vulnerable Parameter:
SAP Hana Cloud HTML5 Database Repository Name "Display Name"
Method:
POST
Exploit Code:
https://localhost/a/cockpit#/acc/[account-id]/repositories/[repository-name]/ecmrepositorysettings
Post data
<name="Display Name" value="007"><img src=x onerror=prompt(document.cookie);>
Impact:
Since there is no requirement of Victim intervention, Session ID and data theft
may follow as well as possibility to
bypass CSRF protections, injection of iframes to establish communication
channels etc.
Severity Level:
Critical
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/