Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1508050-4)
SAP Support Packages
(SAPKH60409, SAPKH60503)
Описание
The problem is caused by an SQL injection vulnerability. The code composes an SQL statement including strings that can be altered by a malicious user. The manipulated SQL statement can then be used to modify information in the database.
Как исправить
Due to the complexity of the changes and the number of correction instructions, we strongly recommend that you import the relevant Support Package.
The following Support Packages (SPs) contain the corrections:
Release Support Package
604 SAPKH06409
605 SAPKH60503
If this note is to be implemented in advance, you must execute the following steps manually (if automatic implementation is not possible): You must create all new objects in the package EDX.
1. In Report EDX_DEL check/create the Text Symbol B01
Text: "Status Selection"
Length: 100
2. In Report EDX_DEL check/create the Text Symbol B02
Text: "Processing"
Length: 100
3. In Report EDX_DEL check/create the Text Symbol B03
Text: "Message selection"
Length: 100
4. In Report EDX_DEL check/create the Text Symbol B04
Text: "To delete from table EDX_PARK"
Length: 100
5. In Report EDX_DEL check/create the Text Symbol T05
Text: "&1 message(s) deleted"
Length: 100
6. In Report EDX_DEL check/complete the Selection Text P_DOCTYP
Text: "Message type"
Dictionary reference: not checked
7. In Report EDX_DEL check/complete the Selection Text P_TEST
Text: "Test System!"
Dictionary reference: not checked
Save and activate your changes.
8. If it it not possible to 'Activate' the Report EDX_DEL because the class EDX_AUTHORIZATION does not exist, then uncomment this class in the DATA declatarion and their use in Code.
9. If it it not possible to 'Activate' the Report EDX_DEL because the methode CHECK_FOR_AUTHORIZED_MSGS in class EDX_PROCESS_DOCSET, then uncomment this class in the DATA declatarion and their use in Code.
Save and activate your changes.
The following Support Packages (SPs) contain the corrections:
Release Support Package
604 SAPKH06409
605 SAPKH60503
If this note is to be implemented in advance, you must execute the following steps manually (if automatic implementation is not possible): You must create all new objects in the package EDX.
1. In Report EDX_DEL check/create the Text Symbol B01
Text: "Status Selection"
Length: 100
2. In Report EDX_DEL check/create the Text Symbol B02
Text: "Processing"
Length: 100
3. In Report EDX_DEL check/create the Text Symbol B03
Text: "Message selection"
Length: 100
4. In Report EDX_DEL check/create the Text Symbol B04
Text: "To delete from table EDX_PARK"
Length: 100
5. In Report EDX_DEL check/create the Text Symbol T05
Text: "&1 message(s) deleted"
Length: 100
6. In Report EDX_DEL check/complete the Selection Text P_DOCTYP
Text: "Message type"
Dictionary reference: not checked
7. In Report EDX_DEL check/complete the Selection Text P_TEST
Text: "Test System!"
Dictionary reference: not checked
Save and activate your changes.
8. If it it not possible to 'Activate' the Report EDX_DEL because the class EDX_AUTHORIZATION does not exist, then uncomment this class in the DATA declatarion and their use in Code.
9. If it it not possible to 'Activate' the Report EDX_DEL because the methode CHECK_FOR_AUTHORIZED_MSGS in class EDX_PROCESS_DOCSET, then uncomment this class in the DATA declatarion and their use in Code.
Save and activate your changes.
Ссылки