• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1511782

Главная Специалистам База уязвимостей Не установлено обновление Note 1511782

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1511782-2)
Описание
Signature Service of SAP Billing Consolidation 2.0 SP4 AH executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user#s browser into making a request  containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to  trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
XSRF attacks have to be addressed inside Web applications. These
applications must ensure that for state changing operations they are not relying only on credentials or tokens that are automatically submitted by browsers. A common approach is including a special token in each request, which is associated with the user session and is valid only for the session lifetime.

The SAP NetWeaver Application Server Java (AS Java) has been enhanced
with the XSRF Protection Framework. You can secure your web-application
with the token-based approach by adopting the framework. This note
contains the adoption of the XSRF Protection Framework for Signature Service of SAP Billing Consolidation 2.0.

SAP's XSRF Protection Framework is available for specific versions of
SAP NetWeaver. Please refer to Note 1450166 for details regarding
availability. In order to enable XSRF protection for the Signature Service of SAP Billing Consolidation 2.0, please apply the above mentioned Note prior to undertaking the steps highlighted in
this Note. Furthermore, please refer to the SAP XSRF Protection Guide
which is attached to Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.

Once you have reviewed the above mentioned document, please proceed in
following the detailed outlined steps which are specific to the Signature Service of SAP Billing Consolidation 2.0.

HOW TO ADAPT Signature Service of SAP Billing Consolidation 2.0 IN A STANDARD SCENARIO:

The solution is implemented in the following support packages:
Signature Service of SAP Billing Consolidation 2.0 SP4 AK or later.

Download the relevant SP for your release from the SAP Service
Marketplace and deploy it on your AS Java.

Reminder: Additionally you will need to implement Netweaver patches. You can find the specifics in note 1450166. Please note that those Netweaver patches are a prerequisite to implementing the aforementioned
Signature Service of SAP Billing Consolidation 2.0 support packages.
Ссылки