Access to internal SAP Help site

Published by Tobias Hofmann on

5 min read

Using Google to find SAP related documentation is a daily task. When I was searching for some Fiori Launchpad information, I was using Google Search. One of the search results directed me to SAP Help and the Fiori Launchpad documentation. The link is:

https://help.sap.com/docs/SAP_FIORI_LAUNCHPAD?locale=en-US

The page is not hidden under several levels of hierarchy somewhere deep inside SAP Help. This link is the main product site for the SAP Fiori Launchpad at SAP Help. Another way to get there is via the SAP Help homepage, search for Fiori Launchpad and accept the suggested search result.

Going via the main SAP Help page to the Fiori Launchpad product documentation also redirects you to https://help.sap.com/docs/SAP_FIORI_LAUNCHPAD?locale=en-US

The page that opened in my browser:


Update: this was just a simple configuration error that was fixed ba SAP. The option to view the internal site is removed.


This looks a little bit different to as what I am used to see. First, the page contains a bit more text than normal. Which is not necessarily bad, but the text of the sections raised my attention. Internal DEV Previews and Internal SHIP Previews?

Internal

This does not look like a new product around FLP. But maybe it is a new product? An alternative you can never ignore when talking about a SAP product. Yet, the text makes it clear that this is a page I should not be able to see.

“SAP-internal previews of the dev container. Use for changes that are in progress (not yet pushed to ship). The information must not be shared with any external audience!”

I like the part: “must not be shared with any external audience!”. Well, seems I am on SAP’ payroll. Just, I am not.

Clicking the links directs to sites that demand authentication (good). A normal SAP Universal ID (UID) user cannot access the content (even better). The error message is clear and gives guidance to the user (perfect).

Some links give a page not found error. This is caused as the ones with authentication are located under the path DRAFT, while the page not found ones using a parameter state.

https://help.sap.com/docs/r/DRAFT/6583b46f6c164aad818a3891bc91d8d8/dev_internal/en-US

https://help.sap.com/docs/FLP/124fa121c8674dce903cee2ff62b9c63/2e034767ee0c4d43a5159ce4a4c014f5.html?state=DRAFT

Internal vs External

What is happening here? At the top of the page I came across a version selector dropdown.

Here the page allows me to change between Internal and External version. The external version is intended for, well, external users. Selecting External loads the page for external access.

SAP Help provides a nice feature for selecting versions. It is not perfect, but it least you can somehow change the product version for a help page. Like switching from SPS10 to SPS20. My guess is that the product version is messed up. It seems that internal is also treated as the latest one, so it is selected by default. Giving external people access to the internal product page.

Result

What I came across is not more than a configuration error. It is not a data leakage, and private data – SAP employees or worse, from customers – is not exposed. Nevertheless, this should not happen. First, this is internal information that should not be made available publicly. The web site text states this fact very clearly. There should be some automatic monitoring that checks this kind of error before it goes live. Furthermore, customers that access the FLP product documentation get access to links they cannot access. Frustrating. In case the protected links go into a search index cache (Google, Bing), the links will be part of search results for a while. The problem might persist for some time. If the internal version would be treated with a lower priority than the external one, I might not have recognized the error. In that case, the page loaded would have been the external one I am used to see. As the internal version is loaded by default, the error was obvious.

The document organization used by SAP Help with DRAFT, folders and parameters is visible. This might be of interest. At least it might be used to crawl for “hidden” files and versions. Maybe the logon process is not every fully working.

Cloud means: the information is in the cloud. When it is not protected, people can access it. And even a small configuration error can expose internal information to the world.

Let the world know
Categories: SAP

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

1 Comment

Oliver Mueller · September 21, 2023 at 15:35

Hi Tobias,
the Spürnase strikes again. 😉 Thanks for bringing this up, this has been fixed about 2 hours ago, so the internal version is no longer visible. You’re right, this shouldn’t have happened.
Best regards,
Oliver

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.