• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1665973 - Unauthorized modificat. of displayed content in SRM-EBP-WFL

Главная Специалистам База уязвимостей Note 1665973 - Unauthorized modificat. of displayed content in SRM-EBP-WFL

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1665973-4) SAP Support Packages (SAPKIBKS18, SAPKIBKT20, SAPKIBKT21)
Описание
The ITS Service BBPWI for application SRM component SRM-EBP-WFL do not  sufficiently encode OUTPUT parameters, resulting in a cross-site scripting issue.

Cross-site scripting can be used to steal another user's authentication  information, such as data relating to their current session. A malicious  user who gains access to this data may use it to impersonate the user  and access all information with the same rights as the target user.

If an administrator is impersonated, the security of the application may be fully compromised.
Как исправить
For SRM_SERVER 550: As this is based on basis release 700 the external ITS is not supported anymore. Therefore the solution requires following the new guidance to create a report that sets the appropriate SICF service parameters :

1. Implement the support package or  carry out the correction instruction.
2. Run report SRM_ITS_XSS_PARAM

SRM_SERVER 500: This is based on basis release 640 which could use internal of external ITS services

Implement the support package or  carry out the correction instruction. Afterwards there will be the 2 important ITS parameters ~AUTO_HTML_ESCAPING = 1 and ~NEW_XSS_FUNCTIONS = 1 to switch on the encoding

The corrections of this note do only have an protecting effect if the
corrections of notes 1621946 and 1488500 are implemented.





------------------------------------------------------------------------
|Manual Pre-Implement.                                                 |
------------------------------------------------------------------------
|VALID FOR                                                             |
|Software Component   SRM_SERVER                                       |
| Release 550          Until SAPKIBKT19                                |
------------------------------------------------------------------------

When installing this note the report SRM_ITS_XSS_PARAM is created. Please run this report to add the new SICF-GUI-parameters that control the encoding behavior to the Internet Services mentioned in the note.
Ссылки