Skip to content
Nuclei Templates

SAP Web Application Server 6.x/7.0 - Open Redirect

ID: CVE-2005-3634

Severity: medium

Author: ctflearner

Tags: cve,cve2005,sap,redirect,business,xss

Description

Section titled “Description”

frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter.

YAML Source

Section titled “YAML Source”
id: CVE-2005-3634


info:
  name: SAP Web Application Server 6.x/7.0 - Open Redirect
  author: ctflearner
  severity: medium
  description: |
    frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter.
  impact: |
    An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks.
  remediation: |
    Apply the latest security patches and updates provided by SAP to fix the open redirect vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/26488
    - https://cxsecurity.com/issue/WLB-2005110025
    - https://marc.info/?l=bugtraq&m=113156525006667&w=2
    - http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf
    - https://exchange.xforce.ibmcloud.com/vulnerabilities/23031
    - https://nvd.nist.gov/vuln/detail/CVE-2005-3634
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
    cvss-score: 5
    cve-id: CVE-2005-3634
    cwe-id: NVD-CWE-Other
    epss-score: 0.02843
    epss-percentile: 0.90695
    cpe: cpe:2.3:a:sap:sap_web_application_server:6.10:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sap
    product: sap_web_application_server
    shodan-query:
      - html:"SAP Business Server Pages Team"
      - http.html:"sap business server pages team"
    fofa-query: body="sap business server pages team"
  tags: cve,cve2005,sap,redirect,business,xss


http:
  - method: GET
    path:
      - "{{BaseURL}}/sap/bc/BSp/sap/menu/fameset.htm?sap--essioncmd=close&sapexiturl=https%3a%2f%2finteract.sh"


    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
# digest: 4a0a00473045022100c119b14935460ddd5eed1e46576940d17658c5acdbd9def8ac5912024a4a86bc022014357b4898f46615291fa724d19fe5aaf92fc15a72c521f9322382730a302ed1:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2005/CVE-2005-3634.yaml"

View on Github