• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1509214

Главная Специалистам База уязвимостей Не установлено обновление Note 1509214

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1509214-6)
Описание
FSCM_BD executes state changing functionality via referencing URLs. In certain scenarios, it is possible for an unauthorized and unauthenticated third party to trigger this functionality on behalf of  an authorized authenticated user without the latter's knowledge and/or consent.
Как исправить
XSRF attacks have to be addressed inside Web applications. These applications must ensure that for state changing operations they are not relying only on credentials or tokens that are automatically submitted by browsers. A common approach is including a special token in each request, which is associated with the user session and is valid only for the session lifetime.

The SAP NetWeaver Application Server Java (AS Java) has been enhanced with the XSRF Protection Framework. You can secure your web-application with the token-based approach by adopting the framwork. This note contains the adoption of the XSRF Protection Framework for FSCM_BD.

SAP's XSRF Protection Framework is available for specific versions of SAP NetWeaver. Please refer to Note 1450166 for details regarding availability. In order to enable XSRF protection for FSCM_BD, please apply the above mentioned Note prior to undertaking the steps highlighted in this Note. Furthermore, please refer to the SAP XSRF Protection Guide which is to Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.

Once you have reviewed the above mentioned document, please proceed in following the detailed outlined steps which are specific to FSCM_BD.

HOW TO ADAPT FSCM_BD IN A STANDARD SCENARIO -


1 deploy the correct release of xsrf sda tc~je~xsrf~lib.sda (7.0x) tc~je~webcontainer~public~api (7.2) and server_jsp sda servlet_jsp.sda file to the j2ee server

2 change application-j2ee-engine.xml in bd META-INF folder. add lines for mandatory use of xsrf lib

For 7.2

<reference reference-type="hard">
<reference-target target-type="service" provider-name="sap.com"> tc~je~webcontainer~public~api </reference-target>
</reference>

For 7.0X

<reference reference-type="hard">
<reference-target target-type="library" provider-name="sap.com"> tc~je~xsrf~lib </reference-target>
</reference>

3 add xsrf-config.xml and xsrf-config.xsd in bd WEB-INF folder, in xsrf-config.xml config to protect all the .sap actions

<?xml version="1.0" encoding="UTF-8"?>
<xsrf-config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="xsrf-config.xsd">

<xsrf-url-constraint>
<display-name>constraint1</display-name>
<xsrf-url-pattern>*.sap</xsrf-url-pattern>
<protected-http-method>POST</protected-http-method>
</xsrf-url-constraint>


<xsrf-pages-config>
<verification-page-location server-root-relative="false">/verif.jsp</verification-page-location>
<error-page-location server-root-relative="false">/jsp/xsrf_error.jsp</error-page-location>
<captcha-location server-root-relative="false">/captcha.jsp</captcha-location>
<action-details-location server-root-relative="false">/usr.jsp</action-details-location>
</xsrf-pages-config>
<request-encoding>ISO-8859-1</request-encoding>
<regenerate-xsrf-token>login</regenerate-xsrf-token>
</xsrf-config>

4 Change jsp files
4.1: Find the jsp page contains <form> ,detail refers to affected file part.

4.2: Find forms(one jsp may have 2 forms-- one for next page, one for previous page) with post actions, for example:

<form name="payVerifyForm" method="post" action="<webbase:encodeUrl>accsearch.sap</webbase:encodeUrl>">

4.3: Put the following code into the declaration part of the jsp ( "accsearch.sap" of first line should be replaced by the action you find in 4.2)
<%
String uriPost = request.getContextPath()+"/accsearch.sap";

com.sap.xsrf.XSRFProtector xsrfProtector = com.sap.xsrf.XSRFProtectorFactory.getInstance();
String hiddenXsrfField = xsrfProtector.getXsrfEncodedFormField(uriPost, false, request);
%>

4.4: Insert the hidden field "hiddenXsrfField" declared in 4.3 into the <form> found on 4.2
<form name="payVerifyForm" method="post" action="<webbase:encodeUrl>accsearch.sap</webbase:encodeUrl>">
<%=hiddenXsrfField%> //this is a new line

</form>

4.5: In some JSPs form type is "MULTIPART/FORM-DATA", for example:

<form name="complainInputForm" method="post" enctype="MULTIPART/FORM-DATA" action="<webbase:encodeUrl>complainDM.sap</webbase:encodeUrl>">

In this case you need to use encodedUrl in the form type "MULTIPART/FORM-DATA" instead of the original .sap

4.6: Put the following code into the declaration part of the jsp ( "complainDM.sap" of first line should be replaced by the action you find in 4.5)

<%
String uriPost = request.getContextPath()+"/complainDM.sap";
com.sap.xsrf.XSRFProtector xsrfProtector = com.sap.xsrf.XSRFProtectorFactory.getInstance();
String encodedUrl = xsrfProtector.getXsrfEncodedUrl(uriPost, true, request);

%>

4.7: Insert the "encodedUrl" declared in 4.6 into the <form> found on 4.5

<form name="complainInputForm" method="post" enctype="MULTIPART/FORM-DATA" action="<webbase:encodeUrl><%=encodedUrl%></webbase:encodeUrl>">


5 add error page - xsrf_error.jsp in the same jsp folders with other jsp files

6 check the config parameter xsrf.protection.enabled of service servlet_jsp is true (use j2ee config tool, which name is configtool.bat and located on C:\usr\sap\W08\JC93\j2ee\configtool ps: change the folder name according to your own j2ee installation )


Affected SAP delivered JSP pages in FSCM_BD_605 (For lower BD releases some of the JSP files are different/not available):

content_accswitch_html.jsp
content_address_edit_html.jsp
content_advice_create_html.jsp
content_advice_edit_html.jsp
content_agentPaymentList_html.jsp
content_allContacts_html.jsp
content_allDisputes_html.jsp
content_approveConfirmation_html.jsp
content_balanceconfirmation_reply_html.jsp
content_balanceconfirmation_show_html.jsp
content_balancePayConfirmation_html.jsp
content_balancePayVerification_html.jsp
content_bank_edit_html.jsp
content_bankdetails_show_html.jsp
content_billList_approve_html.jsp
content_billList_html.jsp
content_change_password_html.jsp
content_collAuthAr_edit_html.jsp
content_collAuth_cancel_html.jsp
content_collAuth_edit_html.jsp
content_complainChangedConfirmation_html.jsp
content_complainChangedConfirmationOD_html.jsp
content_complainConfirmationDM_html.jsp
content_complainConfirmation_html.jsp
content_complainConfirmationCODM_html.jsp
content_complainInput_html.jsp
content_complainInputDM_html.jsp
content_customerSearch_html.jsp
content_customer_extension_edit_html.jsp
content_createInquiry_html.jsp
content_createInquiryMultiInvoice_html.jsp
content_createOnlyDispute_html.jsp
content_creditdetails_show_html.jsp
content_credits_html.jsp
content_creditcard_edit_html.jsp
content_disputeOverview_html.jsp
content_editInquiry_html.jsp
content_edit_new_user_html.jsp
content_general_contact_detail_html.jsp
content_inquiryConfirmation_html.jsp
content_inquiryDetail_html.jsp
content_inquiryOverview_html.jsp
content_invoiceInquiry_html.jsp
content_login_html.jsp
content_oneDispute_html.jsp
content_onlyBill_html.jsp
content_onlyDispute_html.jsp
content_P2P_create_calculate_html.jsp
content_P2P_create_confirmation_html.jsp
content_P2P_create_html.jsp
content_P2P_detail_html.jsp
content_P2P_list_html.jsp
content_P2P_withdraw_confirmation_html.jsp
content_P2P_withdraw_html.jsp
content_paidBillsDrillDown_html.jsp
content_payConfirmation_html.jsp
content_paymentsDrilldown_html.jsp
content_payVerifyPartialEntered_html.jsp
content_payVerifyPartialEnteredDM_html.jsp
content_profile_show_html.jsp
content_sample_CFE_billlist_html.jsp
content_sample_CFE_address_edit_html.jsp
content_stopConfirmation_html.jsp
content_stopPaymentConfirmation_html.jsp
content_upload_invoice_input_html.jsp
content_vendorBillList_html.jsp
content_vendorCredits_html.jsp
content_vendorPaymentSearch_html.jsp
content_vendorSearch_html.jsp
include_address_body_html.jsp
include_addressshow_collauth_html.jsp
include_header_html.jsp
include_uploadattachment_html.jsp
include_P2P_orig_items_html.jsp
Ссылки