• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1593164 - Directory Traversal in Treasury Confirmation

Главная Специалистам База уязвимостей Note 1593164 - Directory Traversal in Treasury Confirmation

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1593164-3) SAP Support Packages (616, SAPK-60310INEAPS, SAPK-60411INEAPS, SAPK-60507INEAPS, SAPK-60602INEAPS, SAPKGPPA34, SAPKGPPB23, SAPKGPPC27, SAPKGPPD21)
Описание
1.The programs specified in the correction instructions contain  vulnerabilities through which an attacker can potentially read arbitrary  files on the remote server, possibly disclosing confidential information.2. Some of the programs specified in the correction instructions contain  a vulnerability through which an attacker can potentially write  arbitrary files to the remote server, possibly corrupting data or altering system behavior.
Как исправить
See 1497003 for additional information on this issue. The corrections from Note 1497003 are a prerequisite for implementing this note.
Create the logical file/path names.
Logical path name:  PSM_AUTO_TC_CREATE_PATHLogical file name:  PSM_AUTO_TC_CREATE_FILE
Logical path name: PSM_AUTO_TC_SWIFT_CREATE_PATHLogical file name: PSM_AUTO_TC_SWIFT_CRE_FILE
Recommendations for setting up logical file namesTo avoid maintaining a high number of logical file names, some of the programs share the same logical file name.Using the same logical file name for various programs creates dependencies among these programs. To securely separate data created by different users and different programs, try to create a directory structure that reflects the user name and/or program name, and use this information when setting up the physical path and file names for the logical file paths and file names.
Apply attached source code corrections.
Ссылки