Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1509015-1)
SAP Support Packages
(SAPKY41021, SAPKY50019, SAPKY51015, SAPKY70009, SAPKY70103)
Описание
Collaborative Planning executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user's browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
Implement the attached Correction Instructions or the relevant Support Package
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SCM SCM (Supply Cha...|
| Release 410 All Support Package Levels |
| Release 500 All Support Package Levels |
| Release 510 All Support Package Levels |
| Release 700 Until SAPKY70008 |
| Release 701 Until SAPKY70102 |
------------------------------------------------------------------------
Switch on the protection mechanism for affected ITS services.
Repeat the following steps for 5 ITS application:
CLPBID, CLPPROMCAL, CLPSDP, AMON, AMON_STATIST
Enter transaction SICF
Select Execute (F8)
Open the service hierarcy - default_host/sap/bc/gui/sap/its
Select the affected service and select Execute (F8)
Select the first tab "Service Data"
Switch to change mode.
Click on the button "GUI Configuration" -> A popup appears.
Add the parameter "~XSRFCHECK" with Value "1".
Close the popup with Continue and save the service
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SCM SCM (Supply Cha...|
| Release 410 All Support Package Levels |
| Release 500 All Support Package Levels |
| Release 510 All Support Package Levels |
| Release 700 Until SAPKY70008 |
| Release 701 Until SAPKY70102 |
------------------------------------------------------------------------
Switch on the protection mechanism for affected ITS services.
Repeat the following steps for 5 ITS application:
CLPBID, CLPPROMCAL, CLPSDP, AMON, AMON_STATIST
Enter transaction SICF
Select Execute (F8)
Open the service hierarcy - default_host/sap/bc/gui/sap/its
Select the affected service and select Execute (F8)
Select the first tab "Service Data"
Switch to change mode.
Click on the button "GUI Configuration" -> A popup appears.
Add the parameter "~XSRFCHECK" with Value "1".
Close the popup with Continue and save the service
Ссылки