Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1718922-1)
SAP Support Packages
(SAPKB64030, SAPKB70027, SAPKB70112, SAPKB70212, SAPKB71015, SAPKB71110, SAPKB72008, SAPKB73008)
Описание
Some pages within the Workflow Modeler Portal enable a cross-domain redirection to occur. An attacker can include a URL from a different domain in a URL of the target application, which can then be sent to a user of the target application. The user thinks that the content is from the target application, but when they visit such a page, the content is delivered from the domain chosen by the attacker. The attacker can then mimic pages of the target application (for example, a logon page) to get the victim to disclose information they would not otherwise reveal to the attacker (such as their password). This can be mitigated by restricting redirections to relative or local domains only.
Как исправить
The Workflow Modeler Portal is obsolete and needs to be deactivated. The deactivation is delivered in the following service packs:
SAP_BASIS 730 SAPKB73008
SAP_BASIS 720 SAPKB72008
SAP_BASIS 711 SAPKB71110
SAP_BASIS 710 SAPKB71015
SAP_BASIS 702 SAPKB70212
SAP_BASIS 701 SAPKB70112
SAP_BASIS 700 SAPKB70027
SAP_BASIS 640 SAPKB64030
For earlier service packs, please follow the instructions as described below.
------------------------------------------------------------------------
|Manual Activity |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SAP_BASIS SAP Basis compo...|
| Release 640 Until SAPKB64029 |
| Release 700 SAPKB70004 - SAPKB70026 |
| Release 710 Until SAPKB71014 |
| Release 711 SAPKB71101 - SAPKB71109 |
| Release 701 Until SAPKB70111 |
| Release 702 SAPKB70201 - SAPKB70211 |
| Release 730 SAPKB73001 - SAPKB73007 |
| Release 720 SAPKB72002 - SAPKB72007 |
------------------------------------------------------------------------
Start transaction se80 and edit the BSP application "swfmod_portal". Go to the "Properties" tab and set the checkbox "XSRF Protection".
SAP_BASIS 730 SAPKB73008
SAP_BASIS 720 SAPKB72008
SAP_BASIS 711 SAPKB71110
SAP_BASIS 710 SAPKB71015
SAP_BASIS 702 SAPKB70212
SAP_BASIS 701 SAPKB70112
SAP_BASIS 700 SAPKB70027
SAP_BASIS 640 SAPKB64030
For earlier service packs, please follow the instructions as described below.
------------------------------------------------------------------------
|Manual Activity |
------------------------------------------------------------------------
|VALID FOR |
|Software Component SAP_BASIS SAP Basis compo...|
| Release 640 Until SAPKB64029 |
| Release 700 SAPKB70004 - SAPKB70026 |
| Release 710 Until SAPKB71014 |
| Release 711 SAPKB71101 - SAPKB71109 |
| Release 701 Until SAPKB70111 |
| Release 702 SAPKB70201 - SAPKB70211 |
| Release 730 SAPKB73001 - SAPKB73007 |
| Release 720 SAPKB72002 - SAPKB72007 |
------------------------------------------------------------------------
Start transaction se80 and edit the BSP application "swfmod_portal". Go to the "Properties" tab and set the checkbox "XSRF Protection".
Ссылки