topic Re: Web Dispatcher Security Issue in Application Development and Automation Discussions

Web Dispatcher Security Issue

Former Member — Thu, 31 Jan 2008 18:13:34 GMT

Hello,

when coming in to XI via the Web Dispatcher, URL https://webdisp:443/sap/xi/adapter_plain the normal authentication is done after the SSL handshake, so all data transferred is encrypted.

However, it is also possible to logon via the URL https://webdisp:443/sap/xi/adapter_plain?sap-user=user&sap-password=pw which is sent before the line is encrypted, thus username and password are visible in the internet.

Not a good thing.

Most business partners should be responsible enough to use the right URL, but I want to make sure nobody can use the wrong one.

Does anybody know how to change this behaviour, or if it can be changed at all?

So far I could not find an answer to this.

Best regards,

Andreas

Re: Web Dispatcher Security Issue

Former Member — Mon, 04 Feb 2008 18:43:50 GMT

Hi Andreas,

Are you really sure that the user and password are sent encrypted when sent in the URL line ?

I did not understand it in that way.

You don't tell us in your exemple what is the SSL role of the web dispatcher ?

SSL termination ?

SSL router ?

SSL re-encryption ?

Regards,

Olivier

Re: Web Dispatcher Security Issue

Former Member — Tue, 05 Feb 2008 08:59:50 GMT

Hi Olivier,

that is my issue - when sent in the URL, the username/password are not encrypted, and I want to make sure that it is not even possible to authenticate this way.

I use SSL re-encryption, but the same holds true for all methods, because the URL is on the Internet before any SSL-handshake takes place.

Best regards,

Andreas

Edited by: Andreas Niewerth on Feb 5, 2008 10:23 AM

Re: Web Dispatcher Security Issue

Former Member — Tue, 05 Feb 2008 10:37:44 GMT

Hi Andreas,

From my understanding of SSL, there is no possibility of data transfer before SSL handshake.

I just made a quick test on a WAS 6.20 system which is SSL enabled.

I increased the ICM trace level and I called this URL from my browser :

https://<Myhost>:<sslport>/sap/bc/soap/wsdl11?services=STFC_CONNECTION&sap-user=<user>&sap-password=<pass>&sap-client=<client>;

I look at the ICM trace file and I see the SSL session negotiation before the URL decoding

Some extracts :

status = "new SSL session, client cert NOT requested"

<<- SapSSLSessionDone(sssl_hdl=00000000002E1DE0)==SAP_O_K

[Thr 388] REQUEST:

Type: ACCEPT CONNECTION Index = 68

[Thr 388] CONNECTION (id=1/27):

[Thr 388] <<- SapSSLRead(sssl_hdl=00000000002E1DE0)==SAP_O_K

[Thr 388] result = "max=65483, received=660"

[Thr 388] IcmReadFromConn(id=1/27): read 660 bytes(timeout 500)

[Thr 388] <<- SapSSLGetPeerInfo(sssl_hdl=00000000002E1DE0)==SAP_O_K

[Thr 388] HttpRewriteRequestHeader: perform actions: 0

[Thr 388] HttpHandleRequest: method: 1; path: /sap/bc/soap/wsdl11

[Thr 388] Handler 1: HttpLogHandler matches url: /sap/bc/soap/wsdl11, port: 1422

[Thr 388] -OUT- req_info LOGIN DP_ICM_EVENT

From this trace, I understand that the URL is sent encrypted.

Am I wrong on this ?

If you are right this is a huge security hole but not specific to SAP : a SSL security hole !

Regards,

Olivier

Re: Web Dispatcher Security Issue

Former Member — Tue, 05 Feb 2008 17:26:08 GMT

Hi Olivier,

you are correct, the URL is just like the payload encrypted, see also here:

http://answers.google.com/answers/threadview?id=758002

Kind of hard to find info on this though...

Best regards,

Andreas