• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1496919

Главная Специалистам База уязвимостей Не установлено обновление Note 1496919

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1496919-4) SAP Support Packages (SAPKA64027, SAPKA70023, SAPKA70108, SAPKA70205, SAPKB71011, SAPKB71106, SAPKB72004, SAPKB73001, SAPKGPBA22)
Описание
a) The program code contains a possibility to define and execute code of  the user#s choice which changes the system#s behavior. However, valid  log on information is required for this purpose. However, the noticeable  source code items cannot be accessed in the standard SAP system because  the source code is experimental and is not provided for productive use.  Depending on the inserted code, the malicious user can obtain  unauthorized access to data and change or delete this data, but also  change system outputs or create new users and cause a Denial of Service.

b) A Business Server Page within the Business Rule Framework does not  sufficiently encode INPUT parameters, resulting in a permanent cross-site scripting issue.
As a result, a malicious user can store contents on a server and these  contents are displayed automatically to a user and interpreted by their  browser. In this way, it is possible to access the information of a user  and to use this data to appear to be already authenticated according to  the application. Therefore, the malicious user can access all  information with the same rights as the target user. If an administrator  is impersonated, the application#s security could be fully compromised.
Как исправить
In this note, the noticeable parts of the source code are completely retired by inserting ASSERT statements and by turning problematic parts into comments to avoid any remaining risk of an attack.

This affects the experimental area of the code generation in BRF (which is no longer used by the standard system anyway) and an experimental Business Server Page that is removed completely.

If you want to implement the corrections immediately, refer to the automatic and manual correction instructions. These corrections are part of the relevant Support Package otherwise.




------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component ABA_PLUS |
| Release 100 Until SAPKGPBA21 |
------------------------------------------------------------------------

Delete the following Business Server Pages including all of their subobjects:

BRF_EXPORT_XML and
BRF_INFO





------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SAP_BASIS SAP Basis compo...|
| Release 710 Until SAPKB71010 |
| Release 711 Until SAPKB71105 |
| Release 730 w/o Support Packages |
| Release 720 Until SAPKB72003 |
------------------------------------------------------------------------

Delete the following Business Server Page including all of its subobjects:

BRF_EXPORT_XML



------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SAP_ABA SAP Application...|
| Release 640 Until SAPKA64026 |
| Release 700 Until SAPKA70022 |
| Release 701 Until SAPKA70107 |
| Release 702 Until SAPKA70204 |
------------------------------------------------------------------------

Delete the following Business Server Pages including all of their subobjects:

BRF_EXPORT_XML and
BRF_INFO
Ссылки