• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1522247

Главная Специалистам База уязвимостей Не установлено обновление Note 1522247

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1522247-1) SAP Support Packages (SAPKH50025, SAPKH60019, SAPKH60209, SAPKH60308, SAPKH60409, SAPKH60504)
Описание
The services mentioned above executes certain functions through  referencing specific URLs. When an attacker tricks an authenticated  user's browser into making a request containing a certain URL and  specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to  trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
Implement the changes attached with the note.

For release 605 of SAP_APPL, follow the steps mentioned below and make the changes accordingly.
Start transaction SICF.
Process following steps for each service mentioned above.
Enter the name and the service and execute SICF (You will find the services in SICF under the path /sap/bc/gui/sap/its/<service> )
Double click on the service name in the tree and switch to the change mode
Choose the GUI configuration
Add the parameter ~XSRFCHECK with value 1
Save the settings
Note the following.

1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report ITS_XSRF_PARAM_DMS in your system.
3. Execute the report ITS_XSRF_PARAM_DMS and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
Ссылки