[ERPSCAN-16-022] SAP Hybris E-commerce Suite VirtualJDBC – Default Credentials
Application: SAP Hybris E-commerce Suite
Versions Affected: SAP Hybris E-commerce Suite 18.104.22.168
Vendor URL: SAP
Bugs: Default credentials
Vendor response: 02.02.2016
Date of Public Advisory: 10.05.2016
Author: Alexey Tyurin (ERPScan)
Class: [CWE-259] Use of Hard-coded Password Impact: SQL injection Remotely Exploitable: Yes Locally Exploitable: No
VirtualJDBC is an additional extension for SAP Hybris E-commerce. It is a kind of proxy for accessing RDBMS over HTTP.
So, there is an opportunity to run any SQL query in the DB remotely.
The VirtualJDBC servlet requires a valid credential, but it has a default one in a configuration file.
Also, it doesn’t have any protection against bruteforce attacks.
An attacker can use default credentials to get unauthorized access to the database and perform various actions in the system. It may have been implemented into the system as a backdoor.
SAP Hybris E-commerce Suite 22.214.171.124
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
Restrict access to Virtual jdbc servlet.
Proof of Concept
Username – vjdbcReportsUser
Password – 1234