• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1599567 - Unauthorized use of application functions in Dealer portal

Главная Специалистам База уязвимостей Note 1599567 - Unauthorized use of application functions in Dealer portal

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
(AV:N/AC:M/AU:N/C:P/I:P/A:P)
Производитель ПО
SAP
Наименование ПО
SAP Notes (1599567-4) SAP Support Packages (SAPK-60211INEAAPPL, SAPK-60212INEAAPPL, SAPK-60310INEAAPPL, SAPK-60311INEAAPPL, SAPK-60411INEAAPPL, SAPK-60412INEAAPPL, SAPK-60507INEAAPPL, SAPK-60509INEAAPPL, SAPK-60602INEAAPPL, SAPK-60604INEAAPPL, SAPKGPAD21, SAPKGPAD22)
Описание
The Automotive Dealer Portal executes certain functions by referencing  specific URLs. When an attacker tricks an authenticated user's browser  into making a request containing a certain URL and specific parameters,  the function is executed with the rights of the authenticated user.

The attacker may use a Cross Site Scripting attack to do this, or they may present a link to the victim.
Как исправить
The corrections of the XSRF protection is enabled via the Workbench.

For EA-APPL 605 and the subsequent lower releases, please follow the manual correction instructions attached.

Please note:-
1. Refer to note 1520324 for additional information and instructions. The corrections from note 1520324 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note.




------------------------------------------------------------------------
|Manual Activity                                                       |
------------------------------------------------------------------------
|VALID FOR                                                             |
|Software Component   EA-APPL                        SAP R/3 Enterpr...|
| Release 600          SAPKGPAD01 - SAPKGPAD21                         |
| Release 602          Until SAPK-60211INEAAPPL                        |
| Release 603          Until SAPK-60310INEAAPPL                        |
| Release 604          SAPK-60401INEAAPPL - SAPK-60411INEAAPPL         |
| Release 605          SAPK-60503INEAAPPL - SAPK-60508INEAAPPL         |
| Release 606          SAPK-60601INEAAPPL - SAPK-60603INEAAPPL         |
------------------------------------------------------------------------

/sapdii/di_spp_ui:
1) Open the BSP application /sapdii/di_spp_ui in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Navigate to the controllers c_spp_main.do, c_spp_header.do, c_spp_overview.do, c_spp_del.do, c_spp_inv.do, c_spp_ord.do, c_spp_ret.do
4) Check the flag 'Start BSP'.
5) Save and activate the BSP application.

/sapdii/dwb:
1) Open the BSP application /sapdii/dwb in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Save and activate the BSP application.

/sapdii/di_dp_common:
1) Open the BSP application /sapdii/di_dp_common in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Save and activate the BSP application.
Ссылки