Article

SAP Querybuilder Information Disclosure 

The query builder of SAP BusinessObjects leaks sensitive data when supplied with certain values in the login pages fields. An attacker is able to manipulate the login parameters with any long character sequence, which causes the server to perform unintended actions and leak sensitive data such as the system name. The vulnerability was reported as CVE-2018-2441.

Background

The query builder of SAP BusinessObjects lacks input validation on the login pages fields. The username, password, and system fields are not validated and checked for input length. The hostname and username fields allow the user to input almost all special characters.
The field values are stored in a cookie, which might lead to service disruption and unexpected behaviors such as system name information disclosure.
Lack of input validation could be a platform for executing further attack especially due to the reflecting of invalidated values in the cookie header.


 

Steps to Reproduce

The BusinessObjects query builder is usually hosted at the following location: https://target/AdminTools

 

An attacker can insert more than ~7300 characters to force the server to respond with “internal server error”. The ~7300 characters can be distributed over every field or inserted in only one. Now the attacker browses to the following location to view sensitive information: https://targethost/AdminTools/querybuilder/null?action=logonerror

Root Cause

This issue exists due to insufficient input filtering. In order to mitigate the issue we recommend sanitizing user-supplied input and limiting its length before sending it to the server and storing it in a cookie.

 

Fix

The issue was fixed in release 4.2.

 

Credit

Credit for finding and reporting the issue:

Alhamzah  Al-Mersoumi