Vulnerability Development mailing list archives
Cross site scripting with SAP
From: Aurélien Cabezon [iSecureLabs] <aurelien.cabezon () ISECURELABS COM>
Date: Wed, 14 Mar 2001 10:03:56 +0100
Hi all, "Cross site scripting vulnerability like" on SAP Internet Transaction Server (ITS, Version 4640.2.0.328048, Build 46DC2.328048, Virtual Server CRP) A "Cross Site Scripting vulnerability like" was discovered on SAP Web Services allowing a malicious webmaster to create a crafted url pointing to a vulnerable SAP server in order to execute hostile Java Script code on the client computer who follow this crafted link. It is possible to pass wrong arguments to a SAP page in order to request an error page which contains thoses arguments. The string passed in argument is not checked by SAP for special characters, so it is possible to intrude HTML code or Hostile JavaScript code in the error page. When the client follow this kind of link, an hostile JavaScript code can be executed on his computer. It can be a way to compromise the client's computer security. For further informations, contact : admin () iSecureLabs com Sorry for our bad english, we are french guy. http://www.iSecureLabs.com
Current thread:
- BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe ml (Mar 09)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Gossi The Dog (Mar 10)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe David R. Conrad (Mar 12)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Daniel Roesen (Mar 13)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe David R. Conrad (Mar 13)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Daniel Roesen (Mar 14)
- Cross site scripting with SAP Aurélien Cabezon [iSecureLabs] (Mar 14)
- Re: BEWARE : Possible compromission under BIND 8.2.2-P5 with Iquery probe Daniel Roesen (Mar 13)