BEST OF THE WEB

Cross-site scripting patches issued for SAP, Salesforce

Cross-site scripting (XSS) vulnerabilities are nasty problems that allow attackers to inject client side script into Web pages.
According to the Open Web Application Security Project (OWAS), because a browser thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Which is why news that two leading software providers, SAP and Salesforce, have discovered and fixed XSS problems is both alarming — that they existed — and reassuring.

–Researchers at Elastica Cloud Threat Labs found a vulnerability in a subdomain of Salesforce used for blogging purposes. “This vulnerability in “admin.salesforce.com” could have been exploited by attackers to hijack Salesforce accounts or to distribute malicious code to the users,” the vendor reported.

“This subdomain was vulnerable to a reflected Cross-site Scripting (XSS) vulnerability where a specific function in the deployed application failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request. As a result, the attacker could have executed JavaScript in the context of the application, thereby impacting the privacy and security of Salesforce users. Furthermore, all Salesforce accounts for different applications (including cloud) were at risk because Salesforce uses Single Sign On (SSO) for managing multiple accounts.”

Salesforce-XSS_Figure4

(Researchers were able to create this look-alike salesforce login page and inject it into a vulnerable app)

While Salesforce was told more than a month ago about the vulnerability, it took some prodding before the company acted. Apparently it didn’t think the problem was severe because it wasn’t in the main “salesforce.com” website. After Elastica send a reminder, Salesforce patched the hole.

–SAP issued fixes for 22 vulnerabilities, the biggest number — eight — dealing with cross-site scripting issues. (Th next biggest category was information disclosure bugs). The August patch day page has few details about the fixes,  but according to ERPscan, which sells security solutions for SAP and Oracle systems, the patches fix an XSS vulnerability in SAP Afaria 7.

Other major vulnerabilities patched include a Remote Command Execution vulnerability in SAP ST-P,  a Reflected File Download vulnerability in NetWeaver AFP Servlet, and a Running Process Remote Termination vulnerability and an incorrect system configuration vulnerability in SAP HANA,

VD_chart.PNG

(This SAP graphic breaks down patch categories issued this week)

XSS flaws can be difficult to identify and remove from a web application, notes OWAS. It says the best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. “Note that a variety of different HTML tags can be used to transmit a malicious JavaScript. Nessus, Nikto, and some other available tools can help scan a website for these flaws, but can only scratch the surface. If one part of a website is vulnerable, there is a high likelihood that there are other problems as well.”

Infosec pros and developers who want more detail can consult this OWAS  cross-site scripting prevention cheat sheet, with eight rules to follow.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web