lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 09 Nov 2005 10:10:01 -0300
From: Leandro Meiners <>
Subject: CYBSEC - Security Advisory: HTTP Response Splitting in SAP WAS

(The following advisory is also available in PDF format for download at: )


Advisory Name: HTTP Response Splitting in SAP WAS (Web Application

Vulnerability Class: HTTP Response Splitting

Release Date: 11/09/2005

Affected Applications:  
* SAP WAS 6.10
* SAP WAS 6.20
* SAP WAS 6.40
* SAP WAS 7.00

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: High

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy:

Product Overview:

SAP Web Application Server is an open standard-based platform for
developing, and implementing Web applications. SAP Web Application
Server is a crucial component of mySAP® Technology platform as it serves
as the underlying infrastructure for many SAP solutions (for example,
SAP Portal).

SAP WAS provides a development infrastructure on which to develop,
distribute, and execute platform-independent Web services and business
applications. SAP Web Application Server supports ABAP, Java, and Web

The vulnerability discovered only applies to the BSP runtime of SAP WAS.

Vulnerability Description:

SAP Web Application Server was found to be vulnerable to HTTP Response
Splitting, in the parameter sap-exiturl. For further reference regarding
HTTP Response Splitting see the whitepaper "HTTP Response Splitting, Web
Cache Poisoning Attacks, and Related Topics" (available at:

Exploit (PoC):

If the string "%0a%0dHeader:+Value" is passed (omitting the double
quotes) as the value for the parameter sap-exiturl the string "Header:
value" (without the double quotes) is considered as another HTTP header,
indicating the presence of the vulnerability.


The solution, provided by SAP, is to disable support for the parameter
in older 6.10 releases as well as SP's in 6.20 prior to SP54. For new
6.20 and 7.00 releases the sap-exiturl parameter will be submitted to a
customer configured white-list. For further information see SAP Note

Vendor Response:

* 09/23/2005: Initial Vendor Contact.
* 09/27/2005: Technical details for the vulnerabilities sent to vendor.
* 10/14/2005: Solutions provided by vendor for all vulnerabilities.
* 11/09/2005: Coordinate release of advisory.

Contact Information:

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>

For more information regarding CYBSEC:

Leandro Meiners
CYBSEC S.A. Security Systems
Tel/Fax: [54-11] 4382-1600

Powered by blists - more mailing lists