Solved: Web Dispatcher Security Issue

Former Member · ‎2008 Jan 31

Hello,

when coming in to XI via the Web Dispatcher, URL https://webdisp:443/sap/xi/adapter_plain the normal authentication is done after the SSL handshake, so all data transferred is encrypted.

However, it is also possible to logon via the URL https://webdisp:443/sap/xi/adapter_plain?sap-user=user&sap-password=pw which is sent before the line is encrypted, thus username and password are visible in the internet.

Not a good thing.

Most business partners should be responsible enough to use the right URL, but I want to make sure nobody can use the wrong one.

Does anybody know how to change this behaviour, or if it can be changed at all?

So far I could not find an answer to this.

Best regards,

Andreas

Former Member · ‎2008 Feb 05

Hi Olivier,

that is my issue - when sent in the URL, the username/password are not encrypted, and I want to make sure that it is not even possible to authenticate this way.

I use SSL re-encryption, but the same holds true for all methods, because the URL is on the Internet before any SSL-handshake takes place.

Best regards,

Andreas

Edited by: Andreas Niewerth on Feb 5, 2008 10:23 AM

Former Member · ‎2008 Feb 04

Hi Andreas,

Are you really sure that the user and password are sent encrypted when sent in the URL line ?

I did not understand it in that way.

You don't tell us in your exemple what is the SSL role of the web dispatcher ?

SSL termination ?

SSL router ?

SSL re-encryption ?

Regards,

Olivier

Former Member · ‎2008 Feb 05

Hi Olivier,

that is my issue - when sent in the URL, the username/password are not encrypted, and I want to make sure that it is not even possible to authenticate this way.

I use SSL re-encryption, but the same holds true for all methods, because the URL is on the Internet before any SSL-handshake takes place.

Best regards,

Andreas

Edited by: Andreas Niewerth on Feb 5, 2008 10:23 AM

Former Member · ‎2008 Feb 05

Hi Andreas,

From my understanding of SSL, there is no possibility of data transfer before SSL handshake.

I just made a quick test on a WAS 6.20 system which is SSL enabled.

I increased the ICM trace level and I called this URL from my browser :

https://<Myhost>:<sslport>/sap/bc/soap/wsdl11?services=STFC_CONNECTION&sap-user=<user>&sap-password=...;

I look at the ICM trace file and I see the SSL session negotiation before the URL decoding

Some extracts :

status = "new SSL session, client cert NOT requested"

<<- SapSSLSessionDone(sssl_hdl=00000000002E1DE0)==SAP_O_K

[Thr 388] REQUEST:

Type: ACCEPT CONNECTION Index = 68

[Thr 388] CONNECTION (id=1/27):

[Thr 388] <<- SapSSLRead(sssl_hdl=00000000002E1DE0)==SAP_O_K

[Thr 388] result = "max=65483, received=660"

[Thr 388] IcmReadFromConn(id=1/27): read 660 bytes(timeout 500)

[Thr 388] <<- SapSSLGetPeerInfo(sssl_hdl=00000000002E1DE0)==SAP_O_K

[Thr 388] HttpRewriteRequestHeader: perform actions: 0

[Thr 388] HttpHandleRequest: method: 1; path: /sap/bc/soap/wsdl11

[Thr 388] Handler 1: HttpLogHandler matches url: /sap/bc/soap/wsdl11, port: 1422

[Thr 388] -OUT- req_info LOGIN DP_ICM_EVENT

From this trace, I understand that the URL is sent encrypted.

Am I wrong on this ?

If you are right this is a huge security hole but not specific to SAP : a SSL security hole !

Regards,

Olivier

Former Member · ‎2008 Feb 05

Hi Olivier,

you are correct, the URL is just like the payload encrypted, see also here:

http://answers.google.com/answers/threadview?id=758002

Kind of hard to find info on this though...

Best regards,

Andreas

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Web Dispatcher Security Issue