• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1509015

Главная Специалистам База уязвимостей Не установлено обновление Note 1509015

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1509015-1) SAP Support Packages (SAPKY41021, SAPKY50019, SAPKY51015, SAPKY70009, SAPKY70103)
Описание
Collaborative Planning executes certain functions through referencing  specific URLs. When an attacker tricks an authenticated user's browser  into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to  trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
Implement the attached Correction Instructions or the relevant Support Package



------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SCM SCM (Supply Cha...|
| Release 410 All Support Package Levels |
| Release 500 All Support Package Levels |
| Release 510 All Support Package Levels |
| Release 700 Until SAPKY70008 |
| Release 701 Until SAPKY70102 |
------------------------------------------------------------------------

Switch on the protection mechanism for affected ITS services.
Repeat the following steps for 5 ITS application:
CLPBID, CLPPROMCAL, CLPSDP, AMON, AMON_STATIST
Enter transaction SICF
Select Execute (F8)
Open the service hierarcy - default_host/sap/bc/gui/sap/its
Select the affected service and select Execute (F8)
Select the first tab "Service Data"
Switch to change mode.
Click on the button "GUI Configuration" -> A popup appears.
Add the parameter "~XSRFCHECK" with Value "1".
Close the popup with Continue and save the service
Ссылки