• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1718922 - Potential false redirection in workflow modeler portal

Главная Специалистам База уязвимостей Note 1718922 - Potential false redirection in workflow modeler portal

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1718922-1) SAP Support Packages (SAPKB64030, SAPKB70027, SAPKB70112, SAPKB70212, SAPKB71015, SAPKB71110, SAPKB72008, SAPKB73008)
Описание
Some pages within the Workflow Modeler Portal enable a cross-domain  redirection to occur. An attacker can include a URL from a different  domain in a URL of the target application, which can then be sent to a  user of the target application. The user thinks that the content is from  the target application, but when they visit such a page, the content is  delivered from the domain chosen by the attacker. The attacker can then  mimic pages of the target application (for example, a logon page) to get  the victim to disclose information they would not otherwise reveal to  the attacker (such as their password). This can be mitigated by restricting redirections to relative or local domains only.
Как исправить
The Workflow Modeler Portal is obsolete and needs to be deactivated. The deactivation is delivered in the following service packs:
SAP_BASIS 730 SAPKB73008
SAP_BASIS 720 SAPKB72008
SAP_BASIS 711 SAPKB71110
SAP_BASIS 710 SAPKB71015
SAP_BASIS 702 SAPKB70212
SAP_BASIS 701 SAPKB70112
SAP_BASIS 700 SAPKB70027
SAP_BASIS 640 SAPKB64030

For earlier service packs, please follow the instructions as described below.





------------------------------------------------------------------------
|Manual Activity                                                       |
------------------------------------------------------------------------
|VALID FOR                                                             |
|Software Component   SAP_BASIS                      SAP Basis compo...|
| Release 640          Until SAPKB64029                                |
| Release 700          SAPKB70004 - SAPKB70026                         |
| Release 710          Until SAPKB71014                                |
| Release 711          SAPKB71101 - SAPKB71109                         |
| Release 701          Until SAPKB70111                                |
| Release 702          SAPKB70201 - SAPKB70211                         |
| Release 730          SAPKB73001 - SAPKB73007                         |
| Release 720          SAPKB72002 - SAPKB72007                         |
------------------------------------------------------------------------

Start transaction se80 and edit the BSP application "swfmod_portal". Go to the "Properties" tab and set the checkbox "XSRF Protection".
Ссылки