usd-2024-0003| Reflected XSS in SAP Business Connector
Advisory ID: usd-2024-0003
Product: SAP Business Connector
Affected Version: 4.8.1 SR4 & CF2
Vulnerability Type: Improper Neutralization of Input During Web Page Generation (CWE 79 - 'Reflected Cross-site Scripting')
Security Risk: Medium CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Vendor URL: https://support.sap.com/en/product/connectors/bc.html
Vendor Acknowledged Vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2024-30214
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2024-30214
Desciption
SAP Business Connector is an application developed by SAP SE, a German software corporation specializing in enterprise software solutions.
SAP Business Connector is an integration tool that allows businesses to connect various systems and applications, both within and outside the organization.
It enables seamless data exchange and interoperability between different systems, enabling businesses to automate processes, streamline operations, and improve productivity.
The application provides a platform for integrating diverse systems, such as ERP (Enterprise Resource Planning) systems, databases, web services, and legacy systems.
It supports a wide range of communication protocols, including HTTP, FTP, SOAP, and XML.
Version 4.8.1 with Patch SR4 and CF2 was found to be vulnerable to a reflected XSS vulnerability in the /invoke/ endpoints.
Proof of Concept
All available service functions can be tested in the package management menu.
All service calls start with the endpoint /invoke. Any GET parameters can be appended to the function calls, which are then reflected in the server response. If the parameter contains JavaScript code, this code will be processed. This behavior is demonstrated as an example in the following request:
GET /invoke/pub.event.audit/logToFile?ywnm2%3cscript%3ealert(document.domain)%3c%2fscript%3ejfv6f=1
HTTP/1.1
Host: 10.3.161.8:5555
[...]
Response:
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Connection: Close
Content-Length: 339
<HTML>
<BODY bgcolor=#dddddd>
<TABLE bgcolor=#dddddd border=1width=100%>
<TR>
<TD valign=top>
<B>ywnm2
<script>alert(document.domain)</script>
jfv6f</B>
</TD>
<TD>1
</TD>
</TR>
[...]
Attackers have to induce the victim to issue a malicious request, for example by providing a prepared link. If someone accesses the link, the JavaScript code will be executed within the browsing context of the user.
A reflected XSS vulnerability can be exploited in various ways. A common attack is to steal sensitive information from the user and secretly transmit it to the attacker. Alternatively, attackers can perform actions with the rights of the user.
Fix
It is recommended to treat all input on the website as potentially dangerous.
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.
The majority of programming languages support standard procedures for encoding meta characters. Additionally, all input should be validated on the server-side.
Where possible, a list of allowed characters should be defined.
References
https://owasp.org/www-community/attacks/xss/
Timeline
- 2023-12-15: Vulnerability identified by Ole Wagner and Christian Poeschl.
- 2024-01-08: Initial contact request via SAP's disclosure form.
- 2024-02-05: SAP confirmed as vulnerability.
- 2024-03-26: Received status update stating that fixes for confirmed vulnerabilities are currently in development/already released. Further information will be provided by SAP.
- 2024-04-09: Patch released as SAP Note 3421453
Credits
This security vulnerability was found by Christian Poeschl and Ole Wagner of usd AG.