# Application: SAP NetWeaver Web Dynpro 6.4 to 7.5 - Information disclosure# Versions Affected: SAP NetWeaver 6.4 - 7.5# Vendor URL: http://SAP.com# Bugs:Information disclosure (Enumerate users)# Sent:2016-12-15# Reported:2016-12-15# Date of Public Advisory: 09.02.2016# Reference: SAP Security Note 2344524# Author: Richard Alviarez (SIA Group)# CVE: N/A# 1. ADVISORY INFORMATION# Title: SAP NetWeaver Web Dynpro – information disclosure (Enumerate users)# Advisory ID: 2344524# Risk: Medium# Date published: 20.12.2016# 2. VULNERABILITY DESCRIPTION# Anonymous attacker can use a special HTTP request to get information# about SAP NetWeaver users.# 3. VULNERABLE PACKAGES# SAP NetWeaver Web Dynpro 6.4 - 7.5# Other versions are probably affected too, but they were not checked.# 4. TECHNICAL DESCRIPTION# A potential attacker can use the vulnerability in order to reveal# information about user names,# first and last names, and associated emails, this can provide an attacker# with enough information# to make a more accurate and effective attack# Steps to exploit this vulnerability1. Open
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate
or
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate
page on SAP server
2. Press "Change processor" button
3. and in the "find" section, put the initial or name to be searched,
followed by a *
You will get a list of SAP users and information.
