Application: SAP Hybris E-commerce
Vendor URL: SAP
Bugs: SQL Injection
Reported: 01.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 14.02.2016
Reference: SAP replied “Due to the fact that this issue is inside Hybris cloud we don’t provide a security note. Please mention inside your upcoming advisories that the fix is already implemented and that our Customers are secure.”
Author: Aleksey Tyurin (ERPScan)

VULNERABILITY INFORMATION

Class: SQL Injection
Impact: read, modify or delete sensitive data
Remotely Exploitable: yes
Locally Exploitable: no

Description

VirtualJDBC is an additional extension for SAP Hybris E-commerce. It is a kind of proxy for accessing RDBMS over HTTP.

So, there is an opportunity to run any SQL query in the db remotely.

The VirtualJDBC servlet requires a valid credential, but it doesn’t have any protection against brute-force attacks.

Business risk

An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.

VULNERABLE PACKAGES

SAP Hybris E-commerce Suite 5.1.0.3

SOLUTIONS AND WORKAROUNDS

The vulnerability fixed in version 6.2.

TECHNICAL DESCRIPTION

URL of a vulnerable service:
http://server_hybris.com/virtualjdbc/

Proof of Concept