1. Introduction
SAP BusinessObjects has a cross-site scripting vulnerability in the ‘error’ parameter of the ‘/PerformanceManagement/jsp/viewError.jsp’ web application component. This allows an attacker to inject malicious script code into a user’s browser session via a crafted URL. Affected systems are typically those running SAP BusinessObjects, and successful exploitation could lead to information disclosure or account compromise. The vulnerability poses a medium risk to confidentiality, integrity, and availability.
2. Technical Explanation
The version of SAP BusinessObjects installed on the remote web server does not properly sanitise input passed to the ‘error’ parameter within ‘/PerformanceManagement/jsp/viewError.jsp’. This lack of validation allows an attacker to inject arbitrary JavaScript code that will be executed in a user’s browser when they access a specially crafted URL. The vulnerability is identified as CWE-20, CWE-442, CWE-629, CWE-711, CWE-712, CWE-722, CWE-725, CWE-74, CWE-750, CWE-751, CWE-79, CWE-800, CWE-801, CWE-809, CWE-811, CWE-864, CWE-900, CWE-928 and CWE-931.
- Root cause: Missing input validation on the ‘error’ parameter of ‘/PerformanceManagement/jsp/viewError.jsp’.
- Exploit mechanism: An attacker crafts a URL containing malicious JavaScript in the ‘error’ parameter, then tricks a user into clicking it. For example:
http://[target]/PerformanceManagement/jsp/viewError.jsp?error= - Scope: SAP BusinessObjects installations are affected. Specific versions were not identified in the scan results.
3. Detection and Assessment
Confirming a vulnerability requires checking for the presence of the vulnerable component and testing its input handling. A quick check involves identifying the installed version of SAP BusinessObjects, if possible through the web interface or system information files. Thorough assessment needs direct testing of the ‘error’ parameter with XSS payloads.
- Quick checks: Check the SAP BusinessObjects version number via the administration console.
- Scanning: Nessus ID 37900 can detect this vulnerability, but may not be exhaustive.
- Logs and evidence: Monitor web server logs for requests to ‘/PerformanceManagement/jsp/viewError.jsp’ containing suspicious characters or script tags in the ‘error’ parameter.
# No specific command available without knowing SAP BusinessObjects version details. Check administration console.4. Solution / Remediation Steps
The primary solution is to contact the vendor for a fix or apply any available security patches. This vulnerability requires addressing at the application level due to improper input sanitisation.
4.1 Preparation
- Consider stopping the SAP BusinessObjects web server during patching, if possible.
- Roll back plan: Restore from backup if patching fails or causes instability.
4.2 Implementation
- Step 1: Contact SAP support and request a fix for this vulnerability.
- Step 2: Download and install any available security patches provided by SAP.
4.3 Config or Code Example
Before
# No code example available as this requires vendor-supplied fixes. The vulnerability is in how input is handled by viewError.jspAfter
# After applying the patch, ensure that input to viewError.jsp is properly sanitised. Verify through testing (see Verification section).4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this issue. Input validation is critical for blocking malicious data. Least privilege limits the impact of successful exploitation. A regular patch cadence ensures timely application of vendor fixes.
- Practice 1: Implement strict input validation on all user-supplied data, especially in web applications.
- Practice 2: Apply a regular patch cycle for SAP BusinessObjects and its components to address known vulnerabilities promptly.
4.5 Automation (Optional)
No automation is available without specific SAP configuration details.
5. Verification / Validation
- Post-fix check: Access
http://[target]/PerformanceManagement/jsp/viewError.jsp?error=and confirm that the script does not execute. - Re-test: Re-run the Nessus scan (ID 37900) to verify the vulnerability is no longer detected.
- Smoke test: Log in to SAP BusinessObjects and perform a standard report generation task.
# Access http://[target]/PerformanceManagement/jsp/viewError.jsp?error=. Expected output: The URL should not execute the script; it should display the raw text instead.6. Preventive Measures and Monitoring
Update security baselines to include input validation requirements for web applications. Implement static application security testing (SAST) in CI/CD pipelines to identify similar vulnerabilities early. Maintain a regular patch review cycle for SAP BusinessObjects.
- Baselines: Update your web application security baseline to require strict input validation and output encoding.
- Asset and patch process: Review and apply SAP security patches at least quarterly, or sooner if critical vulnerabilities are announced.
7. Risks, Side Effects, and Roll Back
Patching may cause temporary service disruption. Incompatibility with other components is a potential risk. Roll back to the previous configuration by restoring from backup if issues arise.
- Risk or side effect 1: Patch installation could temporarily interrupt SAP BusinessObjects services.
- Risk or side effect 2: Patches may introduce compatibility issues with customisations or integrations.
- Roll back: Restore the SAP BusinessObjects configuration and databases from the pre-patch backup.
8. References and Resources
- Vendor advisory or bulletin: http://www.nessus.org/u?c9cfae68
- NVD or CVE entry: Not available in scan results.
- Product or platform documentation relevant to the fix: https://seclists.org/fulldisclosure/2010/Jan/572