• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1506243

Главная Специалистам База уязвимостей Не установлено обновление Note 1506243

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1506243-7) SAP Support Packages (SAPKH50024, SAPKH50025, SAPKH60019, SAPKH60209, SAPKH60308, SAPKH60409, SAPKH60503, SAPKH60504)
Описание
QM executes certain functions through referencing specific URLs. When an  attacker tricks an authenticated user's browser into making a request  containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to  trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report ITS_XSRF_PARAM_QM in your system.
3. Execute the report ITS_XSRF_PARAM_QM and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SAP_APPL SAP Application |
| Release 605 Until SAPKH60503 |
------------------------------------------------------------------------

Start the transaktion SICF.
Execute the following steps for the services QC40, QC40A, QC42, QISR, QISRW, QEW01 and QMW1.
1. Specify the service name and execute the transaction SICF. You find the services within transaction SICF using the path /sap/bc/gui/sap/its/<Service>.
2. Doubleclick within the tree for the corresponding service name and switch then to the change mode.
3. Press the push button "GUI Configuration".
a) Insert for the services QC40, QC40A and QC42 the following new parameters:
~XSRFCHECK with the value 1
~OKCODE_PERMIT with the value LOGI
b) Insert for the service QEW01 the following new parameters:
~XSRFCHECK with the value 1
~OKCODE_PERMIT with the value LOGIN
c) Insert for the service QMW1 the following new parameters:
~XSRFCHECK with the value 1
~OKCODE_PERMIT with the value CRNO , NOLI
d) Insert for the services QISR und QISRW the following new parameters:
~XSRFCHECK with the value 1
~OKCODE_PERMIT with the value MYNOTI
4. Save your changes.
Ссылки