• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1659560 - Unauthorized mod. of displayed content in CRM-ISE-WBF

Главная Специалистам База уязвимостей Note 1659560 - Unauthorized mod. of displayed content in CRM-ISE-WBF

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1659560-3) SAP Support Packages (712, SAPKU50021, SAPKU52011, SAPKU60012, SAPKU70012, SAPKU70109, SAPKU70203)
Описание
Pages within CRM-ISE-WBF do not sufficiently encode output parameters, resulting in a cross-site scripting issue.
Cross-site scripting can be used to steal another user's authentication
information, such as data relating to their current session. A malicious  user who gains access to this data may use it to impersonate the user  and access all information with the same rights as the target user.

If an administrator is impersonated, the security of the application may be fully compromised.
Как исправить
Please apply this note or import the changes via the relevant support package.
Note 1701662 is pre-requisite.



------------------------------------------------------------------------
|Manual Activity                                                       |
------------------------------------------------------------------------
|VALID FOR                                                             |
|Software Component   BBPCRM                        BBP / CRM         |
| Release 500          Until SAPKU50020                                |
| Release 520          Until SAPKU52010                                |
| Release 700          SAPKU70001 - SAPKU70011                         |
| Release 600          SAPKU60001 - SAPKU60011                         |
| Release 701          SAPKU70103 - SAPKU70108                         |
| Release 702          SAPKU70201 - SAPKU70202                         |
------------------------------------------------------------------------

For proper generation of BSP pages for Web Request forms according to security guidelines some XSLT transformations must be adapted which cannot be delivered automatically.

Please, go to transaction SE80.
Enter "Packages" "WFF_FORM_GENERATOR" and display the objects.

Below "transformations" you have to change the following transformations:
WFF_GENERATE_BSP_STYLE01
WFF_GENERATE_BSP_STYLE01_C
WFF_GENERATE_BSP_STYLE01_S
Transformation WFF_GENERATE_BSP_STYLE01 is for normal Web Request form pages and WFF_GENERATE_BSP_STYLE01_S is for a Web Request form page with digital signature. For these transformations the following changes must be done:
In template "bspWritePageInstruction": Add forceEncode="html" after page language="abap"
Replace in all relevant templates application->get by application->getu
In template "bspWriteHiddenParameters": Insert raw to %= application->insert_hidden_parameters( ) so that it appears as %raw= application->insert_hidden_parameters( )
Transformation WFF_GENERATE_BSP_STYLE01_C is for Confirmation pages. For tis transformation the following canges must be done:
In template "bspWritePageInstruction": Add forceEncode="html" after page language="abap"
In template "bspWriteHiddenParameters": Insert raw to %= application->insert_hidden_parameters( ) so that it appears as %raw= application->insert_hidden_parameters( )
Do not forget to activate the transformations after doing the changes.
Ссылки