STE WILLIAMS

SAP admins, there’s an e-mail system bug that could give your HR department headaches, by blocking peoples from registering their e-mail with its E-Recruiting system.

The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples’ e-mails into the system and guess the “e-mail confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn’t done in release versions 605, 606, 616 or 617.

As described by SEC Consult here, when someone registers with SAP’s E-Recruiting solution, they get a confirmation e-mail containing an incremental (and therefore predictable) object called candidate_hrobject.

For an attacker, then, the process would be:

The SEC Consult post notes that some business processes assume people can be contacted by e-mail.

There’s an unexpected upside to this bug: imagine you see a rival advertising a job that some of your people would fit. With minimal effort you could pre-register your team’s e-mail addresses – including personal addresses if you know them – and because those addresses can only be used once in SAP’s application, effectively prevent your people from applying for that job! Unless of course they whip up a new address …

The advisory says SAP has addressed the issue in SAP Security Note 2507798. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/13/sap_erecruiting_email_bug/