• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1515151

Главная Специалистам База уязвимостей Не установлено обновление Note 1515151

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1515151-5) SAP Support Packages (SAPK-31219INCPROJECT, SAPK-31220INCPROJECT, SAPK-31419INCPROJECT, SAPK-31420INCPROJECT, SAPK-40019INCPRXRPM, SAPK-45010INCPRXRPM, SAPK-45011INCPRXRPM, SAPK-50004INCPRXRPM, SAPK-50005INCPRXRPM)
Описание
PLM-CFO executes certain functions through referencing specific URLs.  When an attacker tricks an authenticated user#s browser into making a  request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to  trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
Please apply following steps:
1. Refer to note 1520324 for additional information and instructions. The corrections from note 1520324 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report BSP_XSRF_PARAM_CFOLDERS in your system.
3. Execute the report BSP_XSRF_PARAM_CFOLDERS and specify when requested a corresponding transport request number. The report will fill the database table BSPTEMPXSRFSTORE with corresponding table entries for the BSP applications adapted by this note.




------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component CPRXRPM SAP Project Por...|
| Release 500_702 Until SAPK-50003INCPRXRPM |
------------------------------------------------------------------------

For successfully implementing this note you must need to implement this mannual instruction else none of the change will work.

You need to Mark the flag "XSRF protection" for the following BSP Application:
1. CFX_RFC_UI
2. CFX_ARCH_UI

Step for mannual change which you can follow for both BSP Application(CFX_RFC_UI and CFX_ARCH_UI):
Step 1: SE80 -> BSP Application
Step 2: Double-click on the application and switch to the " Properties" tab.
Step 3: Mark the flag "XSRF-Protection".
Ссылки