Yes, we’re open
WordPress is one of the most popular CMS systems. It is easy to use, can be run in the cloud or on premise, and offers a wide range of plugins and themes. WordPress is available for almost 20 years. It has a huge community and allows to run a web site at low costs. This lowers the entry barrier as there is a wide range of resources freely available. In case you want to publish your own articles, show your CV, portfolio or run an event, chances are very good someone already used WordPress for this, and used WordPress to document how this was done. This enables even people with little to no IT skills to run a blog. Millions of web pages are powered by WordPress and many companies use it. SAP is no exception. One of the SAP websites that uses WordPress is the Fiori Design Guidelines site. The site for SAP Fiori web, not for iOS, Android or CX design.
How did I find out the website is using WordPress? Once I had a small problem accessing the Fiori Design Guidelines website and I activated the developer tools of my browser. I just wanted to clear the cache for the site to see if this will solve the problem. In the network trace I saw some familiar URLs: wp-content, wp-includes. These are standard WordPress URLs. This triggered my attention.
One of the benefits of WordPress is that it comes with a set of standard links to access certain functionalities. Over the time, the usage and basic access links stay as they are. This allows anyone that once worked with WordPress to find a familiar environment. Even when it was years since that person worked the last time with WordPress, links stay the same. One such link is the one for the admin site, or the dashboard. It is used not only by the administrator, but also for content creators to author articles. Everyone that once in their life worked with WordPress knows the url: /wp-admin. Knowing a little bit about WordPress, I decided to try out the dashboard URL. To my surprise I was redirected to the SAP IdP service, authenticated with my S/P-User and … logged on as a user on the Fiori Design Guidelines website.
By default, any WordPress site restricts access to the dashboard. Knowing just the URL won’t help a lot as access is protected. Without a valid WordPress user, a logon is not possible. Authentication via SAML 2.0 can be configured to automatically create a user in WordPress. As SAML 2.0 is a widely used protocol at SAP, this feature is activated. To log on via SAML 2.0, an IdP is needed where you have access. There is a central IdP service that every person that interacts with SAP knows and is used to authenticate S- & P-users: SAP IdP at accounts.sap.com, also used by e.g. SAP Universal ID. Every person with such an SAP user can log on to selected services and sites at SAP. These only must be configured to trust the SAP IdP.
It seems that SSO for WordPress using SAP IdP was activated and every logged on / authenticated user was assigned a standard role for content authors. As long as you were able to log on at the SAP IdP, WordPress accepted you as a valid user and gave access to the dashboard. With a very limited set of features activated. Nevertheless, the dashboard opened and even the limited access was too much.
Being logged on and treated by WordPress as a valid user gave me access to the dashboard. Using the menu, I was able to navigate around. Accessing the website showed the WordPress admin bar on top of the web site: the black bar on top of the page and the standard greeting on the right: Howdy, <username>.
The possible actions assigned to me where somewhat limited but showed that I was logged in as a valid user with the permission to work with articles. For publishing articles, a work flow is in place. While creating a post was possible, to be published it must be approved. Something I did not try out.
I assumed that writing a articles includes the permission to embed files and pictures, so I tried out the media library feature of WordPress. A WordPress user with author permission can normally store pictures in the media library and use these in an article. Yes, this is what I tried out: see if I can upload files. I took a screenshot of my own web site homepage and uploaded it. It worked.
The picture was accessible through the media library. Using the URL for external access opened the picture.
For the media library, no approval workflow was needed. Once uploaded, the file is accessible on the internet. Files stored in the WP library have public accessible link and it is not necessary to embed them in a post first. Therefore, a picture of my website was now accessible through a website run by SAP, under the SAP domain. To evaluate if this is bad or good, let me provide some possible use cases:
- SAP offered to a wide range of users a file share. Not only for S-Users, but also to P-Users. And every person with internet access can obtain a P-User. This was a publicly accessible file share. Attackers might have used it to share illegal files.
- People not so happy with SAP Fiori might have published (faked) white papers stating that Fiori is failing, or that SAP is stopping investment. Sending these documents to SAP customers might cause some questions. To make things worse, these documents would have been published under the SAP experience domain. Providing even some credibility.
- Saving illegal documents and informing the prosecutor and have SAP get into some legal trouble.
- Consultant might use the WordPress toolbar on the Fiori Design Guidelines site to show that they are working closely with SAP on the Fiori topic. Faking a relationship that does not exist.
- Denial of service attack. Attackers might log on with a rather high number of users, create a high number of posts and send to preview, or create and delete millions of posts and crash the server.
For those that now want to try this out: I reported this issue and SAP fixed it. Well, somehow. While the logon form may open, the logon won’t give you any longer a user that has the permission to access the dashboard.
You can still log in via SAML 2.0. Go with your e.g. S-User to the Support Launchpad to log on, than access https://experience.sap.com/wp-admin. This logs you on to the WordPress site and shows the permission message above. Next, go to the Fiori Design Guidelines https://experience.sap.com/fiori-design-web and see the WP user bar.
You do not have the permission to do anything. You can still add some additional load on the server through the logon, so, maybe better if you don’t do this.