Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:L/AU:S/C:P/I:P/A:PSAP)
Производитель ПО
Наименование ПО
SAP Notes
(1767956-3)
Описание
BC-SRV-KPR-CS fails to correctly validate the path that is used to reference a file that is read from the remote server. As a result, an attacker can potentially direct the program to an arbitrary other file in the system, disclosing its contents and fails to correctly validate the path a user-submitted file is written to. Through this, an attacker can potentially overwrite data on the remote system.
Как исправить
Please do the below steps to disable the Directory browsing in IIS and Apache respectively.Steps to disable Directory browsing in IIS 7:1. Open IIS Manager and navigate to the level you want to manage.2. In Features View, double-click Directory Browsing.3. In the Actions pane, click Disable if the Directory Browsing feature is enabled.Steps to disable Directory Browsing in IIS 5.1 or IIS6:1. Open IIS Manager.2. Find your sap content server web site(E.G: SAP_Content_Server) and right click and select Properties either on the site or a folder you wish to use directory browsing with.3. Click the Home Directory tab and uncheck the box next to Directory Browsing to disable the directory browsing.4. Click apply and OK.Once you do the above changes please restart IIS so that changes are taken into effect.Steps to Disable Directory browsing in Apache:The basic httpd.conf file contains the entry Options.Indexes in the Directory section which contains the htdocs.An example is shown below Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all This entry allows the user to browse the directory structure.To turn directory browsing off, add a "-" in front of Indexes after Options as shown below. Options -Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all Once you do the above changes please restart apache so that changes are taken into effect.
Ссылки