Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1665973-4)
SAP Support Packages
(SAPKIBKS18, SAPKIBKT20, SAPKIBKT21)
Описание
The ITS Service BBPWI for application SRM component SRM-EBP-WFL do not sufficiently encode OUTPUT parameters, resulting in a cross-site scripting issue.
Cross-site scripting can be used to steal another user's authentication information, such as data relating to their current session. A malicious user who gains access to this data may use it to impersonate the user and access all information with the same rights as the target user.
If an administrator is impersonated, the security of the application may be fully compromised.
Cross-site scripting can be used to steal another user's authentication information, such as data relating to their current session. A malicious user who gains access to this data may use it to impersonate the user and access all information with the same rights as the target user.
If an administrator is impersonated, the security of the application may be fully compromised.
Как исправить
For SRM_SERVER 550: As this is based on basis release 700 the external ITS is not supported anymore. Therefore the solution requires following the new guidance to create a report that sets the appropriate SICF service parameters :
1. Implement the support package or carry out the correction instruction.
2. Run report SRM_ITS_XSS_PARAM
SRM_SERVER 500: This is based on basis release 640 which could use internal of external ITS services
Implement the support package or carry out the correction instruction. Afterwards there will be the 2 important ITS parameters ~AUTO_HTML_ESCAPING = 1 and ~NEW_XSS_FUNCTIONS = 1 to switch on the encoding
The corrections of this note do only have an protecting effect if the
corrections of notes 1621946 and 1488500 are implemented.
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SRM_SERVER |
| Release 550 Until SAPKIBKT19 |
------------------------------------------------------------------------
When installing this note the report SRM_ITS_XSS_PARAM is created. Please run this report to add the new SICF-GUI-parameters that control the encoding behavior to the Internet Services mentioned in the note.
1. Implement the support package or carry out the correction instruction.
2. Run report SRM_ITS_XSS_PARAM
SRM_SERVER 500: This is based on basis release 640 which could use internal of external ITS services
Implement the support package or carry out the correction instruction. Afterwards there will be the 2 important ITS parameters ~AUTO_HTML_ESCAPING = 1 and ~NEW_XSS_FUNCTIONS = 1 to switch on the encoding
The corrections of this note do only have an protecting effect if the
corrections of notes 1621946 and 1488500 are implemented.
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SRM_SERVER |
| Release 550 Until SAPKIBKT19 |
------------------------------------------------------------------------
When installing this note the report SRM_ITS_XSS_PARAM is created. Please run this report to add the new SICF-GUI-parameters that control the encoding behavior to the Internet Services mentioned in the note.
Ссылки