• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1525137

Главная Специалистам База уязвимостей Не установлено обновление Note 1525137

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1525137-4) SAP Support Packages (SAPK-70205INSAPBSFND)
Описание
BCV executes certain functions through referencing specific URLs. When  an attacker tricks an authenticated user's browser into making a request  containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to  trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. If you have not yet imported support package SP05 of software component SAP_BS_FND 702 perform the manual correction instructions described below.
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SAP_BS_FND |
| Release 702 Until SAPK-70204INSAPBSFND |
------------------------------------------------------------------------
1. Start transaction SICF (HTTP Service Hierarchy Maintenance).
2. On the selection screen, enter service path '/sap/bc/webdynpro/bcv/' and service name 'WDC_UIF_CHIP' and execute the transaction.
3. Choose service WDC_UIF_CHIP by double-clicking on the corresponding entry of the tree and switch to change mode.
4. Press the GUI Configuration pushbutton.
5. In the dialog box, enter service parameter ~XSRFCHECK with value 1.
6. Save the changes.
Ссылки