Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1496297-1)
SAP Support Packages
(SAPK-70009INWEBCUIF, SAPK-70102INWEBCUIF, SAPK-73001INWEBCUIF)
Описание
BSP Application results in a stored cross-site scripting issue. Stored cross-site scripting can be used to permanently modify displayed content from a web site, allowing the malicious user to embed content that is rendered automatically, without the need to individually target victims. Stored cross-site scripting can also be used to steal another user#s authentication information, such as data relating to their current session. An attacker who gains access to this data could use it to impersonate the user and access all information with the same rights as the target user. If an administrator is impersonated, the application#s security could be fully compromised.
Как исправить
For CRM releases based on WEBCUIF 7.0 to WECBUIF 7.0 Enhancement package 1 follow the attached correction instructions.
In all older releases based on SAP_ABA 7.0, apply the following steps
1. Execute transaction SICF to ensure that application BSP_XP can not be accessed
a) Enter "BSP_XP" in the field "Service Name" and execute the search
b) In the search result, right click on entry "BSP_XP" and de-activate the entry in case it is still active.
2. Execute transaction SE80 to delete BSP application BSP_XP.
a) Select "BSP Application" from the dropdown menu, enter BSP_XP and proceed with the deletion.
------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component WEBCUIF |
| Release 701 Until SAPK-70101INWEBCUIF |
------------------------------------------------------------------------
1. Execute transaction SICF to ensure that application BSP_XP can not be accessed
a) Enter "BSP_XP" in the field "Service Name" and execute the search
b) In the search result, right click on entry "BSP_XP" and de-activate the entry in case it is still active.
2. Execute transaction SE80, select BSP Applications and enter application name BSP_XP
a) Expand the "MIMEs" folder and delete all the files in folder "scripts"
------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component WEBCUIF |
| Release 700 Until SAPK-70008INWEBCUIF |
| Release 730 w/o Support Packages |
------------------------------------------------------------------------
1. Execute transaction SICF to ensure that application BSP_XP can not be accessed
a) Enter "BSP_XP" in the field "Service Name" and execute the search
b) In the search result, right click on entry "BSP_XP" and de-activate the entry in case it is still active.
2. Execute transaction SE80, select BSP Applications and enter application name BSP_XP
a) Expand the "MIMEs" folder and delete all the files in folder "scripts"
In all older releases based on SAP_ABA 7.0, apply the following steps
1. Execute transaction SICF to ensure that application BSP_XP can not be accessed
a) Enter "BSP_XP" in the field "Service Name" and execute the search
b) In the search result, right click on entry "BSP_XP" and de-activate the entry in case it is still active.
2. Execute transaction SE80 to delete BSP application BSP_XP.
a) Select "BSP Application" from the dropdown menu, enter BSP_XP and proceed with the deletion.
------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component WEBCUIF |
| Release 701 Until SAPK-70101INWEBCUIF |
------------------------------------------------------------------------
1. Execute transaction SICF to ensure that application BSP_XP can not be accessed
a) Enter "BSP_XP" in the field "Service Name" and execute the search
b) In the search result, right click on entry "BSP_XP" and de-activate the entry in case it is still active.
2. Execute transaction SE80, select BSP Applications and enter application name BSP_XP
a) Expand the "MIMEs" folder and delete all the files in folder "scripts"
------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component WEBCUIF |
| Release 700 Until SAPK-70008INWEBCUIF |
| Release 730 w/o Support Packages |
------------------------------------------------------------------------
1. Execute transaction SICF to ensure that application BSP_XP can not be accessed
a) Enter "BSP_XP" in the field "Service Name" and execute the search
b) In the search result, right click on entry "BSP_XP" and de-activate the entry in case it is still active.
2. Execute transaction SE80, select BSP Applications and enter application name BSP_XP
a) Expand the "MIMEs" folder and delete all the files in folder "scripts"
Ссылки