SAP Web Application Server contains a flaw that allows a remote HTTP response splitting attack. This flaw exists because the application does not validate the 'sap-exiturl' variable upon submission to the BSP applications. This could allow an attacker to create a specially crafted URL that would present a fake web page to a user, steal session cookies, or execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

SAP AG. has released a patch to address this vulnerability. Contact their technical support for further information.

• Security Tracker: 1015174
• Bugtraq ID: 15360
• Secunia Advisory ID: 17515
• SCIP VulDB ID: 1885
• CVE ID: 2005-3633 (see also: NVD)
• Related OSVDB ID: 20715 20716 20717
• VUPEN Advisory: ADV-2005-2361
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0216.html
• Generic Informational URL: http://en.wikipedia.org/wiki/HTTP_response_splitting
• Other Advisory URL: http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_HTTP_Response_Splitting_in_SAP_WAS.pdf
• Vendor URL: http://www.sap.com/

• Leandro Meiners - lmeinerscybsec.com - CYBSEC S.A.