https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaa-p/12257557#M4590688 <P>Hi Javier,</P><P>The purpose of the GET or POST methods are to have the 404 HTTP error returned. If you get this response, then it means that you have correctly performed the fix from SAP Note <A href="https://launchpad.support.sap.com/#/notes/2939665">2939665.<BR /></A></P><P>Regards,</P><P>Cris<BR /></P> Mon, 24 Aug 2020 22:52:47 GMT cris_hansen 2020-08-24T22:52:47Z https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaq-p/12257554 <P>Hi, </P> <P>Extracted from the SAP Note #2939665 there are two methods to verify if the vulnerable URL is blocked, by a POST call or a WS Navigator, but using the public python PoC, and after seeing the code myself, it seems that a GET call works too to proof if a server is vulnerable. </P> <P>Could you confirm this? And if yes, Could you change the details in the SAP Note #2939665?</P> <P>Thanks in advance.</P> <P>Regards</P> <P>Javier </P> Mon, 24 Aug 2020 17:36:43 GMT https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaq-p/12257554 Former Member 2020-08-24T17:36:43Z https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaa-p/12257555#M4590686 <P>Hello Javier,</P><P>If you have the same 404 HTTP error when using the GET method, then you see that the URL is blocked.</P><P>About a change in the details in SAP Note <A href="https://launchpad.support.sap.com/#/notes/2939665" target="_blank">2939665</A>, this should be addressed via Support Incident, under BC-INS-CTC component, owner of the SAP Note.</P><P>Related to this topic, you can also read KBA <A href="https://launchpad.support.sap.com/#/notes/2948106" target="_blank">2948106</A> - FAQ - for SAP Note <A href="https://launchpad.support.sap.com/#/notes/2934135" target="_blank">2934135</A> - [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard).</P><P>Regards,</P><P>Cris</P> Mon, 24 Aug 2020 17:43:36 GMT https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaa-p/12257555#M4590686 cris_hansen 2020-08-24T17:43:36Z https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaa-p/12257556#M4590687 <P>Thanks for the reply. </P><P>So it means that "yes" a GET call is also valid to verify the vulnerability. Would you agree?</P><P>In addition: </P><P>Would the part "?wsdl" call from the URL: <A href="https://&lt;host&gt;:&lt;port&gt;/CTCWebService/CTCWebServiceBean?wsdl" target="test_blank">https://&lt;host&gt;:&lt;port&gt;/CTCWebService/CTCWebServiceBean?wsdl</A> also indicates that a system is vulnerable?</P><P>Would it be a good practice to scan for this vulnerability on all the possible JAVA ports reported by SAP <A href="https://help.sap.com/viewer/ports" target="_blank">here</A>?</P><P>Regards.</P><P>Javier</P> Mon, 24 Aug 2020 22:38:28 GMT https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaa-p/12257556#M4590687 Former Member 2020-08-24T22:38:28Z https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaa-p/12257557#M4590688 <P>Hi Javier,</P><P>The purpose of the GET or POST methods are to have the 404 HTTP error returned. If you get this response, then it means that you have correctly performed the fix from SAP Note <A href="https://launchpad.support.sap.com/#/notes/2939665">2939665.<BR /></A></P><P>Regards,</P><P>Cris<BR /></P> Mon, 24 Aug 2020 22:52:47 GMT https://community.sap.com/t5/technology-q-a/sap-recon-vulnerability-validation-method-issue/qaa-p/12257557#M4590688 cris_hansen 2020-08-24T22:52:47Z