1. Introduction
SAP Internet Transaction Server wgate Multiple Parameter XSS is a cross-site scripting vulnerability in the CGI script used by the web server. This allows an attacker to inject malicious code into webpages viewed by users, potentially stealing cookies or performing actions on their behalf. Systems running SAP Internet Transaction Server are affected. A successful exploit could compromise confidentiality, integrity and availability of the website.
2. Technical Explanation
- Root cause: Missing input validation on the ‘urlmime’ parameter within the ‘/scripts/wgate’ CGI script.
- Exploit mechanism: An attacker crafts a malicious URL containing JavaScript code in the ‘urlmime’ parameter. When a user accesses this URL, the injected code is executed in their browser. For example, an attacker could inject a script to redirect users to a phishing site.
- Scope: SAP Internet Transaction Server wgate versions prior to those with fixes for CVE-2006-5114 are affected.
3. Detection and Assessment
Confirming vulnerability requires checking the version of SAP Internet Transaction Server in use, and testing for the presence of the vulnerable script behaviour.
- Quick checks: Check the version of wgate using the SAP GUI or system documentation.
- Scanning: Nessus plugin ID 30594 may detect this vulnerability as an example.
- Logs and evidence: Examine web server logs for requests to ‘/scripts/wgate’ with suspicious ‘urlmime’ parameters. Look for encoded script tags in the request URL.
# No specific command available without SAP access. Check system documentation or GUI version information.4. Solution / Remediation Steps
Currently, there is no known solution at this time. Mitigation focuses on limiting exposure and monitoring for exploitation attempts.
4.1 Preparation
- Services: No services need to be stopped, but monitor resource usage during testing. A roll back plan involves restoring from the pre-change backup.
- Dependencies: None known. Change windows may be required depending on service level agreements.
4.2 Implementation
- Step 1: Monitor web server logs for suspicious activity related to ‘/scripts/wgate’.
- Step 2: Implement a Web Application Firewall (WAF) rule to block requests containing potentially malicious JavaScript code in the ‘urlmime’ parameter.
4.3 Config or Code Example
Before
# No configuration changes are possible without a patch. This is an example of vulnerable behaviour:
/scripts/wgate?urlmime=After
# WAF rule example (syntax varies by vendor):
BLOCK requests to /scripts/wgate containing