• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1535298

Главная Специалистам База уязвимостей Не установлено обновление Note 1535298

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1535298-2)
Описание
AMC Web Editor Application executes certain functions by referencing  specific URLs. When malicious user tricks an authenticated user's  browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the  authenticated user.

The malicious user may use a cross-site scripting attack to do this, or they may present a link to the victim.
Как исправить
XSRF attacks have to be addressed inside Web applications. These applications must ensure that for state changing operations they are not relying only on credentials or tokens that are automatically submitted by browsers. A common approach is including a special token in each request, which is associated with the user session and is valid only for the session lifetime.

The SAP NetWeaver Application Server Java (AS Java) has been enhanced with the XSRF Protection Framework. You can secure your web-application with the token-based approach by adopting the framework. This note contains the adoption of the XSRF Protection Framework for AMC Web Editor Application.

SAP's XSRF Protection Framework is available for specific versions of SAP NetWeaver. Please refer to Note 1450166 for details regarding availability. In order to enable XSRF protection for AMC Web Editor Application, please apply the above mentioned Note prior to undertaking the steps highlighted in this Note. Furthermore, please refer to the SAP XSRF Protection Guide which is to Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.

Once you have reviewed the above mentioned document, please refer to the attached file "How_to_Protect_AMC_against_XSRF.zip" and follow the detailed outlined steps which are specific to AMC Web Editor Application.

Starting from the AMC versions list below:
For AMC 2.0: applet version 181
For AMC 3.0: applet version 168
For AMC 4.0: applet version 02
The AMC Web Editor Demo Application contains a fix for XSRF by using the libraries provided by NW framework.
Ссылки