• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1835666 - Missing authorization check in PDS_MAINT

Главная Специалистам База уязвимостей Note 1835666 - Missing authorization check in PDS_MAINT

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
(AV:N/AC:M/AU:S/C:P/I:P/A:PSAP)
Производитель ПО
SAP
Наименование ПО
SAP Notes (1835666-4) SAP Support Packages (SAPKH60024, SAPKH60214, SAPKH60313, SAPKH60414, SAPKH60511, SAPKH60608, SAPKH61603, SAPKH61701, SAPKIPZI4J, SAPKIPZI5J, SAPKIPZI6L)
Описание
PDS_MAINT does not contain authorization checks for checking an  authenticated user's authorization to access some of its functions. This may result in undesired system behavior.
Как исправить
Implement this note.------------------------------------------------------------------------|Manual Pre-Implement.                                                 |------------------------------------------------------------------------|VALID FOR                                                             ||Software Component   SAP_APPL                      SAP Application   || Release 600          SAPKH60001 - SAPKH60023                         || Release 602          Until SAPKH60213                                || Release 603          Until SAPKH60312                                || Release 604          SAPKH60401 - SAPKH60413                         || Release 605          Until SAPKH60510                                || Release 606          SAPKH60601 - SAPKH60607                         || Release 616          Until SAPKH61602                                || Release 617          w/o Support Packages                            |------------------------------------------------------------------------
1. Call transaction SE24 and change class CL_PDS_MAINT_CONTROL.
2. Define following new parameter for method AUTHORITY_CHECK:
           Parameter: IV_VERID
Type: Importing
Optional: Check
Typing: Type
Associated Type: VERID
3. Define the following new attributes:
           Attribute: GV_DISPLAY_HEAD
Level: Static Attribute
Visibility: Public
Typing: Type
Associated Type: Boolean
           Attribute: GV_CHANGE_HEAD
Level: Static Attribute
Visibility: Public
Typing: Type
Associated Type: Boolean
4. Switch to class CL_PDS_READ_DATA and repeat the last step.
5. Call transaction SE91 and change message class PDS_MAINT.
6. Define following new messages:
           Message: 025
Text: No authorization to display header data
Self-Explanatory: Check
           Message: 026
Text: No authorization to change operation data
Self-Explanatory: Check
           Message: 027
Text: No authorization to change header data
Self-Explanatory: Check
7. Activate all of these changes, if not done, yet.
------------------------------------------------------------------------|Manual Pre-Implement.                                                 |------------------------------------------------------------------------|VALID FOR                                                             ||Software Component   PI                            SAP R/3 PlugIn... || Release 2004_1_470   Until SAPKIPZI5I                                || Release 2004_1_46C   Until SAPKIPZI4I                                || Release 2004_1_500   Until SAPKIPZI6K                                |------------------------------------------------------------------------
1. Call transaction SE24 and change class CL_PDS_MAINT_CONTROL.
2. Define following new parameter for method AUTHORITY_CHECK:
           Parameter: IV_VERID
Type: Importing
Optional: Check
Typing: Type
Associated Type: VERID
3. Define the following new attributes:
           Attribute: GV_DISPLAY_HEAD
Level: Static Attribute
Visibility: Public
Typing: Type
Associated Type: Boolean
           Attribute: GV_CHANGE_HEAD
Level: Static Attribute
Visibility: Public
Typing: Type
Associated Type: Boolean
4. Switch to class CL_PDS_READ_DATA and repeat the last step.
5. Call transaction SE91 and change message class PDS_MAINT.
6. Define following new messages:
           Message: 025
Text: No authorization to display header data
Self-Explanatory: Check
           Message: 026
Text: No authorization to change operation data
Self-Explanatory: Check
           Message: 027
Text: No authorization to change header data
Self-Explanatory: Check
7. Activate all of these changes, if not done, yet.
Ссылки