Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

[ERPSCAN-16-022] SAP Hybris E-commerce Suite VirtualJDBC – Default Credentials

Application: SAP Hybris E-commerce Suite
Versions Affected: SAP Hybris E-commerce Suite 5.1.0.3
Vendor URL: SAP
Bugs: Default credentials
Reported: 01.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 10.05.2016
Author: Alexey Tyurin (ERPScan)

VULNERABILITY INFORMATION

Class: [CWE-259] Use of Hard-coded Password
Impact: SQL injection
Remotely Exploitable: Yes
Locally Exploitable: No

Description

VirtualJDBC is an additional extension for SAP Hybris E-commerce. It is a kind of proxy for accessing RDBMS over HTTP.
So, there is an opportunity to run any SQL query in the DB remotely.
The VirtualJDBC servlet requires a valid credential, but it has a default one in a configuration file.
Also, it doesn't have any protection against bruteforce attacks.

Business risk
An attacker can use default credentials to get unauthorized access to the database and perform various actions in the system. It may have been implemented into the system as a backdoor.

VULNERABLE PACKAGES

SAP Hybris E-commerce Suite 5.1.0.3
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS

Restrict access to Virtual jdbc servlet.

TECHNICAL DESCRIPTION

Proof of Concept

Default credential:
Username - vjdbcReportsUser
Password - 1234