Security Note: Security Issues in Enterprise Service Builder
[admin pages] [cross site scripting] [DocuBaseServlet] [http cookie] [XI]
Symptom
1)Several cross site scripting (XSS) vulnerabilities have been discovered in administrative Web interfaces of XI.
2)Some servlets allow bypassing http-only cookie security.
3)Some Exchange Profile parameters are saved as plain text in NWA.
4)Reading and overwriting files using various administrative XI tools Possible.
5)The password is contained in clear text in the HTML source code.
Other terms
cross site scripting, XI, admin pages, DocuBaseServlet, http cookie,Password visible, reading and overwriting files, xi tools, Exchange Profile etc.
Reason and Prerequisites
Problem Description -
1)XI administrative tools exhibit several possibilities for script injection attacks via URL parameters.
2)The Web interface of the servlet DocuBaseServlet returns a stack trace as well as all HTTP headers including cookie values.
3)In ESR, JEE application parameters can be set in NWA. Some parameters are not saved as desired in NWA.
4)Users having access to the some services are able to read any file in the local file system, which is accessible by the SAP system user.
5)Any user having access to the exchange profile settings is able to retrieve the authentication credentials for all defined technical users.
Solution
Why the customers should apply the patch ?
This patch would fix the security issues mentioned with ESR which could cause a potential security threat like XI administrative tools exhibiting several possibilities for script injection attacks via URL parameters
What are the affected versions ?
Affected releases are NW04, NW04S, NY and NY EhP1 and the affected SCA’s are SAP_XITOOL for release NW04/NW04S and SAP_XIESR and SAP_XITOOL for release SAP NetWeaver PI 7.1 and SAP EHP1 for SAP PI NetWeaver 7.1
How can the customer find out the used version in his systems?
Customer can find out the version that he uses by opening the Administration pages of ESR and then clicking on “Software Build Information” link and viewing the following -
Make Release ,SPS Number.
What are the fixed versions?
All the affected versions are fixed.
Details of the fixes (with the level of the SP in which they were fixed) are as follows:
NW04 SP23
NW04S SP18
SAP NetWeaver PI 7.1 SP7
SAP EHP1 for SAP NetWeaver PI 7.1 SP1
Where and how to get the fixed versions?
You can get the fixed versions from the service market place.
Service Market Place -> Downloads -> SAP Support Package -> Enter by Application Group -> SAP Netweaver -> Select desired Release -> Desired SCA.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}