Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1537670-3)
Описание
FSCM_BD executes state changing functionality via referencing URLs. In certain scenarios, it is possible for an unauthorized and unauthenticated third party to trigger this functionality on behalf of an authorized authenticated user without the latter's knowledge and/or consent. Prerequisite is note 1509214.
Как исправить
XSRF attacks have to be addressed inside Web applications. These applications must ensure that for state changing operations they are not relying only on credentials or tokens that are automatically submitted by browsers. A common approach is including a special token in each request, which is associated with the user session and is valid only for the session lifetime.
The SAP NetWeaver Application Server Java (AS Java) has been enhanced with the XSRF Protection Framework. You can secure your web-application with the token-based approach by adopting the framwork. This note contains the adoption of the XSRF Protection Framework for FSCM_BD.
SAP's XSRF Protection Framework is available for specific versions of SAP NetWeaver. Please refer to Note 1450166 for details regarding availability. In order to enable XSRF protection for FSCM_BD, please apply the above mentioned Note prior to undertaking the steps highlighted in this Note. Furthermore, please refer to the SAP XSRF Protection Guide which is to Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.
Once you have reviewed the above mentioned document, please proceed in following the detailed outlined steps which are specific to FSCM_BD.
XSRF attacks have to be addressed inside Web applications. These applications must ensure that for state changing operations they are not relying only on credentials or tokens that are automatically submitted by browsers. A common approach is including a special token in each request, which is associated with the user session and is valid only for the session lifetime.
The SAP NetWeaver Application Server Java (AS Java) has been enhanced with the XSRF Protection Framework. You can secure your web-application with the token-based approach by adopting the framwork. This note contains the adoption of the XSRF Protection Framework for FSCM_BD.
SAP's XSRF Protection Framework is available for specific versions of SAP NetWeaver. Please refer to Note 1450166 for details regarding availability. In order to enable XSRF protection for FSCM_BD, please apply the above mentioned Note prior to undertaking the steps highlighted in this Note. Furthermore, please refer to the SAP XSRF Protection Guide which is to Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.
The main correction part of the issue is presented in the note 1509214. Please apply it before.
Additional affected SAP delivered JSP pages in FSCM_BD_604 and lower BD releases (some of the JSP files are different/not available):
For the following jsp pages, we implement xsrf protection as mentioned in the note 1509214 -
content_activitySearch_html.jsp
content_downloadFormatChoose_html.jsp
content_custExtension_html.jsp
content_info_html.jsp
content_comp_user_show_html.jsp
For the jsp page "content_comp_user_edit_html.jsp", since it has no specific url in form's action attribute, we use XSRF manual protection method to encode the url
1. Put the following code into the declaration part of the jsp
<%
com.sap.xsrf.XSRFProtector xsrfProtector = com.sap.xsrf.XSRFProtectorFactory.getInstance();
String hiddenXsrfField = xsrfProtector.getXsrfEncodedFormField("/", true, request);
%>
2. Insert the hidden field "hiddenXsrfField" declared in 1 into the <form>
<form method="post" name="frmPartnerInfo" action="">
<%=hiddenXsrfField%> //this is a new line
</form>
The following jsp pages in HTMLB and obsolete.
content_suss_credits_html.jsp
content_suss_invoices_html.jsp
content_suss_payments_html.jsp
The SAP NetWeaver Application Server Java (AS Java) has been enhanced with the XSRF Protection Framework. You can secure your web-application with the token-based approach by adopting the framwork. This note contains the adoption of the XSRF Protection Framework for FSCM_BD.
SAP's XSRF Protection Framework is available for specific versions of SAP NetWeaver. Please refer to Note 1450166 for details regarding availability. In order to enable XSRF protection for FSCM_BD, please apply the above mentioned Note prior to undertaking the steps highlighted in this Note. Furthermore, please refer to the SAP XSRF Protection Guide which is to Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.
Once you have reviewed the above mentioned document, please proceed in following the detailed outlined steps which are specific to FSCM_BD.
XSRF attacks have to be addressed inside Web applications. These applications must ensure that for state changing operations they are not relying only on credentials or tokens that are automatically submitted by browsers. A common approach is including a special token in each request, which is associated with the user session and is valid only for the session lifetime.
The SAP NetWeaver Application Server Java (AS Java) has been enhanced with the XSRF Protection Framework. You can secure your web-application with the token-based approach by adopting the framwork. This note contains the adoption of the XSRF Protection Framework for FSCM_BD.
SAP's XSRF Protection Framework is available for specific versions of SAP NetWeaver. Please refer to Note 1450166 for details regarding availability. In order to enable XSRF protection for FSCM_BD, please apply the above mentioned Note prior to undertaking the steps highlighted in this Note. Furthermore, please refer to the SAP XSRF Protection Guide which is to Note 1450166 in order to gain an overall understanding of the XSRF protection procedure.
The main correction part of the issue is presented in the note 1509214. Please apply it before.
Additional affected SAP delivered JSP pages in FSCM_BD_604 and lower BD releases (some of the JSP files are different/not available):
For the following jsp pages, we implement xsrf protection as mentioned in the note 1509214 -
content_activitySearch_html.jsp
content_downloadFormatChoose_html.jsp
content_custExtension_html.jsp
content_info_html.jsp
content_comp_user_show_html.jsp
For the jsp page "content_comp_user_edit_html.jsp", since it has no specific url in form's action attribute, we use XSRF manual protection method to encode the url
1. Put the following code into the declaration part of the jsp
<%
com.sap.xsrf.XSRFProtector xsrfProtector = com.sap.xsrf.XSRFProtectorFactory.getInstance();
String hiddenXsrfField = xsrfProtector.getXsrfEncodedFormField("/", true, request);
%>
2. Insert the hidden field "hiddenXsrfField" declared in 1 into the <form>
<form method="post" name="frmPartnerInfo" action="">
<%=hiddenXsrfField%> //this is a new line
</form>
The following jsp pages in HTMLB and obsolete.
content_suss_credits_html.jsp
content_suss_invoices_html.jsp
content_suss_payments_html.jsp
Ссылки