[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

SAP Solman 7.31 Information Disclosure Vulnerability

Author
Roman Bezhan
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-26563
Category
remote exploits
Date add
21-12-2016
CVE
CVE-2016-10005
Platform
windows
Application: SAP Solman

Versions Affected: SAP Solman 7.1-7.31

Vendor URL: http://SAP.com

Bugs: Information Disclosure

Sent: 12.07.2016

Reported: 13.07.2016

Vendor response: 13.07.2016

Date of Public Advisory: 13.09.2016

Reference: SAP Security Note  2344524

Author: Roman Bezhan (ERPScan)


Description

1. ADVISORY INFORMATION

Title:[ERPSCAN-16-035] SAP Solman a user accounts disclosure

Advisory ID:[ERPSCAN-16-035]

Risk: high

Advisory URL: https://erpscan.com/advisories/erpscan-16-035-sap-solman-user-accounts-dislosure/

Date published: 13.12.2016

Vendors contacted: SAP


2. VULNERABILITY INFORMATION

Class: Information Disclosure

Impact: disclosure of system information

Remotely Exploitable: yes

Locally Exploitable: no

CVE: CVE-2016-10005
CVSS Information

CVSS Base Score v3:    5.3 / 10

CVSS Base Vector:


AV : Attack Vector (Related exploit range) Network (N)

AC : Attack Complexity (Required attack complexity) Low (L)

PR : Privileges Required (Level of privileges needed to exploit) None (N)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)

C : Impact to Confidentiality Low (L)

I : Impact to Integrity None (N)

A : Impact to Availability  None (N)


3. VULNERABILITY DESCRIPTION

Webdynpro component allows an attacker to gain users information
defined in the system.

4. VULNERABLE PACKAGES

CAF EU 7.00

CAF EU 7.01

CAF EU 7.02

GUIDED PROCEDURES CORE 7.10

GUIDED PROCEDURES CORE 7.11

GUIDED PROCEDURES CORE 7.20

GUIDED PROCEDURES CORE 7.30

GUIDED PROCEDURES CORE 7.31

GUIDED PROCEDURES CORE 7.40

GUIDED PROCEDURES CORE 7.50

GUIDED PROCEDURES UI ITG 7.50

5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note  2344524


6. AUTHOR

 Roman Bezhan (ERPScan)


7. TECHNICAL DESCRIPTION

An anonymous attacker can use caf~eu~gp~example~timeoff~wd component
to get users information defined in the system. He should click
"Change processor" and start to search users by name in new open below
dialog box.


7.1. Proof of Concept

http://SAP_INSTANCE:50000/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate#

http://SAP_INSTANCE:50000/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate




8. REPORT TIMELINE

Sent: 12.07.2016

Vendor response: 13.07.2016

Date of Public Advisory: 13.09.2016

#  0day.today [2024-12-24]  #