Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:M/AU:N/C:P/I:P/A:P)
Производитель ПО
Наименование ПО
SAP Notes
(1599567-4)
SAP Support Packages
(SAPK-60211INEAAPPL, SAPK-60212INEAAPPL, SAPK-60310INEAAPPL, SAPK-60311INEAAPPL, SAPK-60411INEAAPPL, SAPK-60412INEAAPPL, SAPK-60507INEAAPPL, SAPK-60509INEAAPPL, SAPK-60602INEAAPPL, SAPK-60604INEAAPPL, SAPKGPAD21, SAPKGPAD22)
Описание
The Automotive Dealer Portal executes certain functions by referencing specific URLs. When an attacker tricks an authenticated user's browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the authenticated user.
The attacker may use a Cross Site Scripting attack to do this, or they may present a link to the victim.
The attacker may use a Cross Site Scripting attack to do this, or they may present a link to the victim.
Как исправить
The corrections of the XSRF protection is enabled via the Workbench.
For EA-APPL 605 and the subsequent lower releases, please follow the manual correction instructions attached.
Please note:-
1. Refer to note 1520324 for additional information and instructions. The corrections from note 1520324 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note.
------------------------------------------------------------------------
|Manual Activity |
------------------------------------------------------------------------
|VALID FOR |
|Software Component EA-APPL SAP R/3 Enterpr...|
| Release 600 SAPKGPAD01 - SAPKGPAD21 |
| Release 602 Until SAPK-60211INEAAPPL |
| Release 603 Until SAPK-60310INEAAPPL |
| Release 604 SAPK-60401INEAAPPL - SAPK-60411INEAAPPL |
| Release 605 SAPK-60503INEAAPPL - SAPK-60508INEAAPPL |
| Release 606 SAPK-60601INEAAPPL - SAPK-60603INEAAPPL |
------------------------------------------------------------------------
/sapdii/di_spp_ui:
1) Open the BSP application /sapdii/di_spp_ui in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Navigate to the controllers c_spp_main.do, c_spp_header.do, c_spp_overview.do, c_spp_del.do, c_spp_inv.do, c_spp_ord.do, c_spp_ret.do
4) Check the flag 'Start BSP'.
5) Save and activate the BSP application.
/sapdii/dwb:
1) Open the BSP application /sapdii/dwb in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Save and activate the BSP application.
/sapdii/di_dp_common:
1) Open the BSP application /sapdii/di_dp_common in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Save and activate the BSP application.
For EA-APPL 605 and the subsequent lower releases, please follow the manual correction instructions attached.
Please note:-
1. Refer to note 1520324 for additional information and instructions. The corrections from note 1520324 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note.
------------------------------------------------------------------------
|Manual Activity |
------------------------------------------------------------------------
|VALID FOR |
|Software Component EA-APPL SAP R/3 Enterpr...|
| Release 600 SAPKGPAD01 - SAPKGPAD21 |
| Release 602 Until SAPK-60211INEAAPPL |
| Release 603 Until SAPK-60310INEAAPPL |
| Release 604 SAPK-60401INEAAPPL - SAPK-60411INEAAPPL |
| Release 605 SAPK-60503INEAAPPL - SAPK-60508INEAAPPL |
| Release 606 SAPK-60601INEAAPPL - SAPK-60603INEAAPPL |
------------------------------------------------------------------------
/sapdii/di_spp_ui:
1) Open the BSP application /sapdii/di_spp_ui in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Navigate to the controllers c_spp_main.do, c_spp_header.do, c_spp_overview.do, c_spp_del.do, c_spp_inv.do, c_spp_ord.do, c_spp_ret.do
4) Check the flag 'Start BSP'.
5) Save and activate the BSP application.
/sapdii/dwb:
1) Open the BSP application /sapdii/dwb in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Save and activate the BSP application.
/sapdii/di_dp_common:
1) Open the BSP application /sapdii/di_dp_common in SE80 transaction.
2) In the Properties tab of the BSP application, check the flag 'XSRF Protection'.
3) Save and activate the BSP application.
Ссылки