• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1482449

Главная Специалистам База уязвимостей Не установлено обновление Note 1482449

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1482449-4) SAP Support Packages (SAPKU70102)
Описание
The problem is caused by an SQL injection vulnerability. The code  composes an SQL statement including strings that can be altered by a  malicious user. The manipulated SQL statement can then be used to  retrieve additional information from the database or to potentially modify it.

Since these reports are intended to be used by certain users, such as  IPM Mass Change database administraotrs. Such problem can be eliminated by limiting access to these reports.
Как исправить
Assign these two reports to an authorization group (MC_ADMIN)

Please implement the attached correction instructions.

This fix is valid for CRM 7.01.



------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component BBPCRM BBP / CRM |
| Release 701 Until SAPKU70101 |
------------------------------------------------------------------------

1. In SAP GUI, launch transaction SM30
2. Input 'TPGP' in field 'Table/View'
3. Click on button 'Maintain'
4. Add one row with the following columns:
Appl = 'R'
P_group = 'MC_ADMIN'
Text for auth group = 'IPM Mass Change database admin'
5. Click on button 'Save' to save the change
6. Exit SM30 and launch transaction SE38
7. Input 'CRM_MASS_DB_DOWNLOAD' in field 'Program'
8. Select 'Attributes' in radio button group 'Subobjects'
9. Click on button 'Change'
10. Input 'MC_ADMIN' in field 'Authorization Group'
11. Click on button 'Save' to save the change
12. Repeat steps 7 to 11 for program 'CRM_MASS_DB_UPLOAD'
Ссылки