• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1512595

Главная Специалистам База уязвимостей Не установлено обновление Note 1512595

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1512595-5)
Описание
LSOCP (which contains Servlets/JSP pages) executes state changing  functionality via referencing URLs. In certain scenarios, it is possible  for an unauthorized and unauthenticated third party to trigger this  functionality on behalf of an authorized authenticated user without the latter's knowledge and/or consent.
Как исправить
XSRF attacks have to be addressed inside Web applications. These applications must ensure that for state changing operations they are not relying only on credentials or tokens that are automatically submitted by browsers. A common approach is including a special token in each request, which is associated with the user session and is valid only for the session lifetime.

The SAP NetWeaver Application Server Java (AS Java) has been enhanced with the XSRF Protection Framework. You can secure your web-application with the token-based approach by adopting the framwork. This note contains the adoption of the XSRF Protection Framework for LSOCP.

SAP's XSRF Protection Framework is available for specific versions of SAP NetWeaver. Please refer to Note 1450166 for details regarding availability. In order to enable XSRF protection for LSOCP, please apply the above mentioned Note prior to undertaking the steps highlighted in this Note. Furthermore, please refer to the SAP XSRF Protection Guide which is to Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.

Once you have reviewed the above mentioned document, please proceed in following the detailed outlined steps which are specific to LSOCP.

HOW TO ADAPT LSOCP IN A STANDARD SCENARIO
1)XSRF protection for LSOCP uses the custom XSRF protection approach (please refer to the protection guide for details).
2)Please apply the below SP's of relevant LSOCP on SAP J2EE Web AS for XSRF protected version of LSOCP.
SP9 of LSOCP604
SP9 of LSOCP602
SP19 of LSOCP600
SP22 of LSOCP300
SP34 of LSOCP200
Ссылки