SAP B2B/B2C CRM Local File Inclusion
Description
SAP B2B/B2C CRM contains a Local File Inclusion (LFI) vulnerability in the initProductCatalog.do file. An unauthenticated attacker can exploit the forwardPath GET parameter to traverse the file system and read arbitrary files on the server. This vulnerability allows remote attackers to access sensitive files without requiring authentication or user interaction.
Remediation
Apply the security patch provided in SAP Security Note 1870255656 immediately.
If immediate patching is not possible, implement the following temporary mitigations:
1. Implement strict input validation on the forwardPath parameter to reject path traversal sequences (../, ..\ and encoded variants)
2. Use an allowlist approach to restrict file paths to only expected, safe directories
3. Configure web application firewall (WAF) rules to block requests containing directory traversal patterns
4. Monitor server logs for suspicious access attempts to initProductCatalog.do with unusual forwardPath values
Long-term solution: Upgrade SAP B2B/B2C CRM to the latest patched version and ensure all security updates are applied regularly.