usd-2023-0017 | XSS in SAP Partner Portal

Advisory ID: usd-2023-0017
Product: SAP Partner Portal
Vulnerability Type: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: HIGH
Vendor URL: https://partneredge.sap.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: Not assigned
CVE Link: Not assigned

Description

In cases where users do not have sufficient permissions to view a specific URL within the SAP Partner Portal they are redirected to an error page.
During this redirection the requested URL is passed to the error page as a URL parameter and embedded into the error message without any filtering or encoding.

Therefore it is possible to include HTML-Tags and JavaScript in the URL, making it possible for malicious actors to launch XSS attacks.

Proof of Concept

A proof of concept JavaScript-Alert-Box is shown with this URL:

https://partneredge.sap.com/en/errors/not-authorized.html?deniedPage=https%3A%2F%2Fpartneredge.sap.com%3Cimg%20src=x%20onerror=alert(document.domain)%3Ea%2Fen%2F.html

Fix

Filter and encode user input before embedding it into error messages.

References

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Timeline

• 2023-04-25: The vulnerability was identified by Nicolas Schickert.
• 2023-04-28: The responsible disclosure team submits vulnerability details via https://vulnerability-form.cfapps.sap.hana.ondemand.com/.
• 2023-05-11: XSS vulnerability was patched and confirmed to be fixed after a restest by Nicolas Schickert. However, some HTML-Tags still were not properly encoded, even though XSS was no longer possible.
• 2023-06-06: A Proof-of-Concept for inserting HTML Tags was sent to the SAP Security Team.
• 2023-06-12: SAP reports that the vulnerability is fixed and the reflected URL is now properly sanitized.
• 2023-09-25: Security advisory released by usd AG.

Credits

This security vulnerability was identified by Nicolas Schickert of usd AG.