• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1422273

Главная Специалистам База уязвимостей Не установлено обновление Note 1422273

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1422273-12) SAP Support Packages (SAPKB64026, SAPKB70022, SAPKB70107, SAPKB70203, SAPKB71010, SAPKB71105, SAPKB72003)
Описание
The vulnerability is due to the missing encoding of the input  parameters. This results in possibilities of attack by cross-site scripting or by cross-domain redirection.

The reflected cross-site scripting can be used to steal authentication  information or session information of a user or to damage a website  temporarily. An attacker who has access to this data can use it to  impersonate another user and have the same access to information as the  target user as a result. If an administrator is impersonated, the entire application security may be compromised.

Attacks by cross-domain redirection enable a malicious user to display a  URL as if it is a usual BSP application, but which actually causes a redirection to a page desired by the malicious user.

The relevant ICF service was deleted. You cannot perform the deletions  via correction instructions. Therefore, the services are no longer available as of the specified Support Packages.
Как исправить
Import the relevant Support Package or perform the following manual steps:
1. Delete the class CL_BSP_ICF. To do this, call transaction SE80, select "Class / Interface" in the top input field and enter CL_BSP_ICF in the input field below. Then choose "Enter". Add the class by selecting the menu path "Class --> Display <->Edit" in edit mode and deactivate the Modification Assistant by choosing the menu path "Edit -> Modification Operations -> Switch Off Assistant". (This step is not applicable if the Modification Assistant is already deactivated.) Then choose the menu path "Class --> Display <->Edit" to return to display mode and delete the class by choosing "Delete" in the context menu of the class.
2. Delete the BSP application ICF. To do this, call transaction SE80, select "BSP Application" in the top input field and enter ICF in the input field below. Then choose "Enter". Then choose "Delete" in the context menu of the object ICF (under the literal "Object Name"). In the following confirmation window, answer "Yes" to confirm that you want to delete it.
3. Delete the BSP application BSP_VERI. To do this, call transaction SE80, select "BSP Application" in the top input field and enter BSP_VERI in the input field below. Then choose "Enter". In the context menu of the object BSP_VERI (under the literal "Object name"), choose "Delete". In the following confirmation window, choose "Yes" to confirm that you want to delete it.
4. Delete the ICF services /sap/bc/bsp/sap/bsp_veri and /sap/bc/bsp/sap/icf using transaction SICF.
Ссылки