Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:M/AU:N/C:N/I:P/A:NSAP)
Производитель ПО
Наименование ПО
SAP Notes
(1412864-6)
Описание
Some pages within Xcelsius Dashboards enable a cross-domain redirection to occur. An attacker can include a URL from a different domain in a URL of the target application, which can then be sent to a user of the target application. The user thinks that the content is from the target application, but when they visit such a page, the content is delivered from the domain chosen by the attacker. The attacker can then mimic pages of the target application (for example, a logon page) to get the victim to disclose information they would not otherwise reveal to the attacker (such as their password). This can be mitigated by restricting redirections to relative or local domains only.
Как исправить
The Adobe Flash Player requires that a crossdomain.xml file is stored on the server in the case of a Web service call from a Flash file. This crossdomain.xml description is used to ensure that the requesting ShockWave Flash (SWF) is also authorized to retrieve data from the server.For the Xcelsius scenario, an appropriate crossdomain.xml has already been delivered in the BICS Web service deployment. This cannot be changed because it is returned by a servlet. The servlet can be accessed using the following alias: http://:500/bicsremotecrossdomain.xmlBy default, crossdomain.xml does not need to be adjusted. If specific security settings are required for the Xcelsius dashboards, bicsremotecrossdomain.xml may be overwritten when an appropriate crossdomain.xml is created in the of the application server.
Ссылки