• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1511031

Главная Специалистам База уязвимостей Не установлено обновление Note 1511031

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1511031-5) SAP Support Packages (ISR_WORKFORCE_MANAGEMENT_10_SP012_000000, ISR_WORKFORCE_MANAGEMENT_10_SP999999_999999, ISR_WORKFORCE_MANAGEMENT_31_SP006_000000, ISR_WORKFORCE_MANAGEMENT_31_SP999999_999999, ITIME_CLOCK_SERVER_20_SP012_000000, ITIME_CLOCK_SERVER_20_SP999999_999999, ITIME_CLOCK_SERVER_31_SP006_000000, ITIME_CLOCK_SERVER_31_SP999999_999999)
Описание
WFM (CA-GTF-WFA) executes certain functions through referencing specific  URLs. When an attacker tricks an authenticated user#s browser into  making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to  trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
The changes corresponding to the XSRF adoption are included in the Correction Request and these changes are available in the current Support Package. More information regarding XSRF protection can be found in Note 1450166.
XSRF attacks have to be addressed inside Web applications. These applications must ensure that for state changing operations they are not relying only on credentials or tokens that are automatically submitted by browsers. A common approach is including a special token in each request, which is associated with the user session and is valid only for the session lifetime.
The SAP NetWeaver Application Server Java (AS Java) has been enhanced with the XSRF Protection Framework. You can secure your web-application with the token-based approach by adopting the framwork. This note contains the adoption of the XSRF Protection Framework for WFM (CA-GTF-WFA).
SAP's XSRF Protection Framework is available for specific versions of SAP NetWeaver. Please refer to Note 1450166 for details regarding availability. In order to enable XSRF protection for WFM (CA-GTF-WFA), please apply the above mentioned Note prior to undertaking the steps highlighted in this Note. Furthermore, please refer to the SAP XSRF Protection Guide which is Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.
Once you have reviewed the above mentioned document, please proceed in following the detailed outlined steps which are specific to WFM (CA-GTF-WFA).

HOW TO ADAPT WFM (CA-GTF-WFA) IN A STANDARD SCENARIO.

1) XSRF protection for WFM (CA-GTF-WFA) uses the standard XSRF protection approach (please refer to the protection guide for details).
2) Copy the 'xsrf-config.xml' file attached to this note in the '/WEB-INF' directory of your application.

3) Replace the JSP files of the application with the files attached to this note. The pages have been enhanced in a way that a token is attached to state-critical actions (either as URL parameter or as hidden form field).

4) In case the JSP pages you use have been modified (i.e. because of customer-specific branding), you need to include the changes which add the tokens to state-changing actions manually, otherwise the modifications would be lost.

5) In case you have added own pages with state-changing actions (or additional state-changing actions on existing pages), you need to ensure XSRF protection for these actions manually.
a. Configure the additional actions triggering state-changes on AS Java in the 'xsrf-config.xml' file. Please refer to the Protection Guide for details on how to do this.
b. Include URL-parameters or hidden form fields on the pages which add the tokens. Please refer to the Protection Guide for details on how to do this.

Affected SAP delivered JSP pages in WFM (CA-GTF-WFA):

swapshifts.jsp
isv.jsp
replacements.jsp
scheduleevents.jsp
startup.jsp
ewsvpopup.jsp
weeklyschedule.jsp
scheduletrack.jsp
corecoverage.jsp
startup.jsp
tasks.jsp
Config.jsp
ophours.jsp
status.jsp
/aslForecasting/forecast/forecastAdjust.jsp
/aslForecasting/startup/startup.jsp
/aslForecasting/workload/workloadAdjust.jsp
/employee/pa/hire/pa.jsp
/employee/pa/rehire/parehire.jsp
/employee/pa/terminate/paterminate.jsp
/employee/pa/transfer/patransfer.jsp
/employee/pa/update/paupdate.jsp
/employee/profile/profile.jsp
contracts.jsp
workRules.jsp
startup.jsp
timeoff.jsp
work_area_qual.jsp
budgetconstraints.jsp
manualinput.jsp
modify.jsp
parameters.jsp
startup/startup.jsp
templates.jsp
calculate.jsp
copy.jsp
dailyschedule.jsp
availShifs.jsp
dataServiceConfig.jsp
iTimeClock.jsp
mngoveride.jsp
ArchiveTimeData.jsp
Overide.jsp
Punches.jsp
benadjpopup.jsp
startup.jsp
dbUtil.jsp
Config.jsp
Ссылки