id: CVE-2005-3634 info: name: SAP Web Application Server 6.x/7.0 - Open Redirect author: ctflearner severity: medium description: | frameset.htm in the BSP runtime in SAP Web Application Server (WAS) 6.10 through 7.00 allows remote attackers to log users out and redirect them to arbitrary web sites via a close command in the sap-sessioncmd parameter and a URL in the sap-exiturl parameter. impact: | An attacker can exploit this vulnerability to redirect users to malicious websites, leading to phishing attacks. remediation: | Apply the latest security patches and updates provided by SAP to fix the open redirect vulnerability. reference: - https://www.exploit-db.com/exploits/26488 - https://cxsecurity.com/issue/WLB-2005110025 - https://marc.info/?l=bugtraq&m=113156525006667&w=2 - http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf - https://exchange.xforce.ibmcloud.com/vulnerabilities/23031 - https://nvd.nist.gov/vuln/detail/CVE-2005-3634 classification: cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N cvss-score: 5 cve-id: CVE-2005-3634 cwe-id: NVD-CWE-Other epss-score: 0.02843 epss-percentile: 0.897 cpe: cpe:2.3:a:sap:sap_web_application_server:6.10:*:*:*:*:*:*:* metadata: max-request: 1 vendor: sap product: sap_web_application_server shodan-query: html:"SAP Business Server Pages Team" tags: cve,cve2005,sap,redirect,business,xss http: - method: GET path: - "{{BaseURL}}/sap/bc/BSp/sap/menu/fameset.htm?sap--essioncmd=close&sapexiturl=https%3a%2f%2finteract.sh" matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # digest: 4b0a004830460221009b702e9a18c644f2a8ddd637cd2d87e35e59ec9159e4726e5b9dbf6cbe27ddcc022100e7fd499cc594ceab440e9188af24fd6eaa6f1eab4514609586796ae41b96b43f:922c64590222798bb761d5b6d8e72950