Full Report
A URL parameter within a call was being used within the headers of a request. In particular, the pVersion parameter of the request. It was being copied into the x-errordescription header without checking the content of it. Since an attacker controls this and the web server does not protect against it, an attacker can add in newlines to change the meaning of the request. This is called CRLF injection. Since they can added content to the headers (and to the body!) they can change the Content-Type of the request! Additionally, they can add in their own body, which will be interpreted as HTML. So, the authors get XSS using this technique, which is pretty sick. Flask prevents this by default, citing that "Header values must not contain newline characters".
Analysis Summary
# Vulnerability: Response Header Injection leading to XSS in SAP HTTP Content Server
## CVE Details
- CVE ID: CVE-2023-26457
- CVSS Score: High (Based on the "HIGH" risk reported)
- CWE: CWE-644 (Improper Neutralization of HTTP Headers for Scripting Syntax)
## Affected Systems
- Products: SAP HTTP Content Server
- Versions: Server Version 753 running Patch 1028, Build Version Auf 12 2022 (N)
- Configurations: Any configuration where CRLF characters are not filtered when reflected into the `x-errordescription` response header.
## Vulnerability Description
The SAP HTTP Content Server reflects unvalidated input from the `pVersion` request parameter into the `x-errordescription` response header. The input is URL-decoded during this process, allowing an attacker to inject carriage return and newline characters (`%0a`). The injection of these CRLF sequences allows an attacker to:
1. Inject new HTTP response headers (e.g., changing `Content-Type` to `text/html`).
2. Terminate the header section and inject arbitrary content into the HTTP response body.
This technique is known as Response Header Injection or HTTP Response Splitting.
## Exploitation
- Status: PoC available (Proof of Concept provided in the source article)
- Complexity: Low (Requires sending a specially crafted URL request)
- Attack Vector: Network (Remote)
### Impact
- Confidentiality: Potential, depending on further exploitation (e.g., in phishing).
- Integrity: High (Risk of Response Splitting, Cache Poisoning, or Cross-Site Scripting).
- Availability: Low (Denial of service is possible but not the primary documented impact).
The primary documented impact shown in the PoC is Cross-Site Scripting (XSS) by forcing the browser to interpret content in the response body as HTML due to a manipulated `Content-Type` header.
## Remediation
### Patches
- Refer to SAP Note: `3281484` for details on the fix provided by SAP.
- Customers running SAP HTTP Content Server 753 should apply the necessary security patch corresponding to this note.
### Workarounds
- The general recommendation is to perform output validation to filter, escape, or encode unsafe data passed from the server in an HTTP response header.
- Specifically, enforce that header values (like those derived from user input) must not contain newline characters (CR/LF).
## Detection
- Indicators of compromise: Look for HTTP responses containing unexpected or manipulated header sequences, particularly where the `x-errordescription` header contains CRLF sequences (`%0a` or raw newlines).
- Detection methods and tools: Web Application Firewalls (WAFs) or network monitoring tools should alert on input containing URL-encoded newlines directed at parameters that influence HTTP responses.
## References
- Vendor Advisory (SAP Note): [https://launchpad.support.sap.com/#/notes/3281484](https://launchpad.support.sap.com/#/notes/3281484) (Defanged link to SAP)
- Advisory Source: [https://herolab.usd.de/security-advisories/usd-2022-0046/](https://herolab.usd.de/security-advisories/usd-2022-0046/)