| New User, Welcome! Login |
SAP Enterprise Portal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Onapsis Security Advisory 2011-005: SAP Enterprise Portal Path Disclosure
This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences.
platform, which enables the development and execution of Java solutions
in SAP
landscapes.
The J2EE Engine is the component on which, for example, the SAP
Enterprise Portal solution is built and executed.
5. Vulnerability Details
========================
==================================
The SAP J2EE Engine is a key component of the SAP NetWeaver application platform, which enables the development and execution of Java solutions in SAP
landscapes.
The J2EE Engine is the component on which, for example, the SAP Enterprise Portal solution is built and executed.
5. Vulnerability Details
========================
The SAP J2EE Engine is a key component of the SAP NetWeaver
application platform, which enables the development and execution of
Java solutions in SAP landscapes.
The J2EE Engine is the component on which, for example, the SAP
Enterprise Portal solution is built and executed.
5. Vulnerability Details
========================
professional business
applications. It is based on the Model View Controller (MVC) paradigm
which ensures that the business logic is separated from the presentation
logic.
The SAP Enterprise Portal and Web Dynpro for Java are the strategic user
interface technologies of SAP and are based on the SAP Web Application
Server
(WebAS) Java.
Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
protection of
critical platforms in world-wide customers, such as Fortune-500
companies and governmental entities.
Some of our featured services include SAP Penetration Testing, SAP
Gateway & RFC security, SAP Enterprise Portal security assessment,
Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP
Technical Security Audits.
For further information about our solutions, please contact us at
critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
business platforms, protecting their information and decreasing financial fraud risks.
Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of
critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
Copyright (c) 2011 Onapsis SRL. All rights reserved.
critical platforms in world-wide customers, such as Fortune-500 companies and governmental entities.
Our star product, Onapsis X1, enables our customers to perform automated Security & Compliance Audits, Vulnerability Assessments and Penetration Tests
over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically.
Some of our featured services include SAP Penetration Testing, SAP Gateway & RFC security, SAP Enterprise Portal security assessment, Security Support
for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits.
For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com.
#
#############################################################
Introduction:
-------------
The vulnerability found targets the SAP NetWeaver portal. It is
possible to execute JavaScript code in the browser of a valid user
when clicking on a specially crafted URL which can be sent to the
user by email.
This vulnerability can be used to steal the user's session cookie or
redirect him to a phishing website which shows the (faked) login
|
|
|
