COMMAND

    SAP

SYSTEMS AFFECTED

    SAP

PROBLEM

    Aurelien  Cabezon   found  following.    "Cross   site   scripting
    vulnerability  like"  on  SAP  Internet  Transaction  Server (ITS,
    Version 4640.2.0.328048, Build 46DC2.328048, Virtual Server CRP).

    A "Cross Site Scripting vulnerability like" was discovered on  SAP
    Web Services allowing  a malicious webmaster  to create a  crafted
    URL  pointing  to  a  vulnerable  SAP  server  in order to execute
    hostile Java Script  code on the  client computer who  follow this
    crafted link.

    It is possible to pass wrong  arguments to a SAP page in  order to
    request an error page which contains thoses arguments.  The string
    passed in argument is not  checked by SAP for special  characters,
    so it is possible to intrude HTML code or Hostile JavaScript  code
    in the error page.  When  the client follow this kind of  link, an
    hostile JavaScript code can be  executed on his computer.   It can
    be a way to compromise the client's computer security.

    For further informations, contact: admin@iSecureLabs.com

SOLUTION

    Nothing yet.