CVE-2022-41204 An attacker can change the content of an SAP Commerce version 1905, 2005, 2105, 2011, 2205, login page, by injecting code that redirects submissions from the affected login form to their own server.

To discover if you are at risk, check if you have enabled URL redirection on your login page. If it is enabled and you have not enabled SAP login security, an attacker can easily change the source code of the login page to their own server and obtain your login credentials. An attacker can also change the source code of the login page to a hardcoded URL, for example, to www.example.com/login. This hardcoded URL does not require entering login credentials. The attacker can use those credentials to log in to other systems or to create new accounts on the affected system.

How does URL redirection cause account takeover?

If URL redirection is enabled on the login page and you have not set up SAP login security, an attacker can change the source code of the login page to their own server. This allows them to obtain your login credentials. If they change the source code to a hardcoded URL, such as www.example.com/login, they would not need to enter any passwords in order to log in because they would use valid credentials from your account.
In addition, URL redirection might allow an attacker to change the source code of the login page to a different domain or subdomain (for example, cve-2022-41204-2.sap-support.com). This could cause them to access another system using your credentials without ever having entered them into a field on that system's website.

Check if URL redirection is enabled

You can check if URL redirection has been enabled by clicking on the Security tab in the SAP login page. If you see that URL redirection is enabled, you should make sure to disable it. Instead of enabling URL redirection, you can use SAP login security to protect your system against unauthorized access.

Prerequisites

Before you can assess your risk of being affected
Before you perform a vulnerability assessment, you should:
- Check if URL redirection is enabled on your login page.
- If it is enabled, ensure that SAP login security is also enabled
- Ensure that the source code of the login page is not hardcoded

Weak Default Credentials

It is important to review your login credentials on a regular basis. You should also monitor how often you are the target of an attack and how many vulnerabilities are discovered. You can do this by reviewing the SAP Security Feeds, which lists recent security advisories.
You can change your passwords regularly and use different passwords for different systems. This will help prevent common attacks like dictionary-based brute force attacks.

Timeline

Published on: 10/11/2022 21:15:00 UTC
Last modified on: 10/12/2022 20:29:00 UTC

References

• https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
• https://launchpad.support.sap.com/#/notes/3239152
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41204