SAP Note 1334244 - Some Fields are susceptible to Cross-site scripting

Symptom
You create a shopping cart and specify Item description having javascript content. Now if your SC has error, then the error message content would be wrongly display and the behaviour would be that of how the item description javascript is executed.


Other terms
BBPSC01, BBPSC02, Description, XSS, cross-site scripting, Attachment


Reason and Prerequisites
This problem is caused by a program error. The error messages are note masked correctly.


Solution
Please apply the correction instructions or the relevant support package to resolve the issue.

Affected Releases

Software Component Release From Release To Release And subsequent SRM_SERVER 500 500 500

Visit https://service.sap.com/sap/support/notes/1334244 for Correction delivered in Support Package & Corrections Instructions

SAP Note 1334396 - Security Checks: Removal of hardcoded user names

Symptom

Security Checks: Removal of hardcoded user names


Other terms
Sy-uname, Security Checks


Reason and Prerequisites
This problem is caused by a program error.


Solution
Implement the source code changes.

Affected Releases

Software Component Release From Release To Release And subsequent SAP_APO 30 30A 30A   SAP_APO 310 310 310   SCM 400 400 400   SCM 410 410 410   SCM 500 500 500   SCM 510 510 510   SCM 700 700 700

Visit https://service.sap.com/sap/support/notes/1334396 for Correction delivered in Support Package & Corrections Instructions

SAP Note 1335103 - Security correction: removal of hardcoded user names

Symptom
There are some codes belonging to the specified components that include hardcoded user names. These statements are dangerous from security point of view and therefore need to be removed from the code.


Other terms
Security, CBF, Macro Builder


Reason and Prerequisites
Program error.


Solution
Implement this note in order the security to be ensured in the related applications.

Affected Releases

Software Component Release From Release To Release And subsequent SAP_APO 30 30A 30A   SAP_APO 310 310 310   SCM 400 400 400   SCM 410 410 410   SCM 500 500 500   SCM 510 510 510   SCM 700 700 700

Visit https://service.sap.com/sap/support/notes/1335103 for Correction delivered in Support Package & Corrections Instructions

SAP Note 1335926 - Some Fields are susceptible to Cross-site scripting

Symptom

You create a Bid invitation and specify and go to Dynamic Attributes tab and enter the Dynamic attribute Description as "<a href="javascript:alert();">Click me!</a>", for example.
When you change the tabs or open the bid invitation again, the system displays a dialog box that contains the following text: "Click me!".
Same problem occurs when you provide it as a description of some other fields like Partner details, Bidder output data details in Bid invitation, and Incoterm Description in Quotation.


Other terms
BBP_BID_INV, BBP_QUOT, Description, XSS, cross-site scripting, Partner details, Bidder output data details, Incoterm Description


Reason and Prerequisites
This problem is caused by a program error. The fields were not masked correctly.


Solution
Import the relevant Support Package or implement the attached correction instructions.

Affected Releases

Software Component Release From Release To Release And subsequent SRM_SERVER 500 500 500   SRM_SERVER 550 550 550

Visit https://service.sap.com/sap/support/notes/1335926 for Correction delivered in Support Package & Corrections Instructions

SAP Note 1336947 - Security correction: Username hard coded

Symptom

Username is hard coded in a portion of a code which is no longer relevant. The code containing the hard coded username has been added for internal test and does not have any effect on the business process and cannot harm any component. Hence, implementing this note cannot cause any kind damage.


Other terms
SCM, F&R, RWB


Reason and Prerequisites
The username was hard coded in the method
/FRE/UI_CL_TS_GRAPHIC->TEST_IXML which is not compliant with security standard.


Solution
Implement the correction instructions

Affected Releases

Software Component Release From Release To Release And subsequent SCM 510 510 510   SCM 700 700 700

Visit https://service.sap.com/sap/support/notes/1336947 for Correction delivered in Support Package & Corrections Instructions

SAP Note 1339326 - F&R: Remove hardcoded user name branches in code (security)

Symptom
No symptoms. SAP internal security audit.


Other terms
F&R security


Reason and Prerequisites
Production code makes comparisons between sy-uname and hardcoded values. Security implications are negligible however application may perform unexpectedly if user name matches hardcoded value. These comparisons have now been removed.


Solution
Implement the correction instructions or install the associated SP.

Affected Releases

Software Component Release From Release To Release And subsequent SCM 510 510 510   SCM 700 700 700

Visit https://service.sap.com/sap/support/notes/1339326 for Correction delivered in Support Package & Corrections Instructions

SAP Note 1339620 - Security note:Cross Site Scripting (XSS) in cFolders

Symptom

This SAP Security Note describes how to reduce the risk of possible cross-site scripting (XSS) attacks in cFolders.

In general all Web Servers, that accept input parameters via http requests, dynamically generate html pages based on these inputs and then return this dynamically generated content as response to the client (browser), are potentially vulnerable to "Cross Site Scripting" attacks

Under some circumstances Java Script code can be injected with Input field and URL as a Parameter. This can show some abrupt behavior in cFolders application on various pages.


Other terms
Security vulnerabilities, Cross site scripting, XSS.


Reason and Prerequisites
Program error


Solution
Please apply the correction instruction to resolve the issue

Affected Releases

Software Component Release From Release To Release And subsequent CPRXRPM 450_700 450_700 450_700

Visit https://service.sap.com/sap/support/notes/1339620 for Correction delivered in Support Package & Corrections Instructions

SAP Note 1340457 - Security Note: Encoding fix for technical hidden fields

Symptom

Some web browsers that are unsupported by the SAP Web UI (such as IBM AppScan) sometimes make it possible to decode complex strings and to execute JavaScript code found in them for one's own user by passing them in some request parameters (using special functionality provided by those unsupported browsers). This JavaScript code cannot be executed in another user's session or in another session belonging to the same user, nor can it be executed by standard popular Browsers. It can only be executed for one's own user, in the current session, in special browsers. Because of the complexity of the prerequisites, we are currently not aware of any working attack vector, thus exploitability is very unlikely.


Other terms
thtmlb xss input hidden javascript js request script scripting site cross security


Reason and Prerequisites
Even though exploitability is very unlikely a step further in reinforcing the security around the WEBCUIF based applications is to encode the values of some hidden fields so that any potientially dangerous parameters can no longer easily be deciphered and executed without additional effort.


Solution
Implement the attached correction instructions.

Affected Releases

Software Component Release From Release To Release And subsequent CRMUIF 600 600 600   WEBCUIF 700 700 700   WEBCUIF 730 730 730

Visit https://service.sap.com/sap/support/notes/1340457 for  Correction delivered in Support Package and Corrections Instructions

SAP Note 1342183 - Security information: Transaction FIAAHELP

Symptom

Transaction FIAAHELP and the function module AA_CUS_EDIT_CONTENT can be used to change existing source code without an authorization check, among other things.


Other terms
Security, AA_CUS_EDIT_CONTENT


Reason and Prerequisites
There is a program error.


Solution
Implement the corrections as described in the attached correction instructions. The changes are also delivered with the following Support Packages:

Component  Release  Support Package
SAP_APPL   470     SAPKH47031
SAP_APPL   500     SAPKH50020
SAP_APPL   600     SAPKH60014
SAP_APPL   602     SAPKH60204
SAP_APPL   603     SAPKH60303

The corrections do not affect the normal function of the application.
We strongly recommend that you implement this note to eliminate the security issue.

Affected Releases

Software Component Release From Release To Release And subsequent SAP_APPL 470 470 470   SAP_APPL 500 500 500   SAP_APPL 600 600 600   SAP_APPL 602 602 602   SAP_APPL 603 603 603

Visit https://service.sap.com/sap/support/notes/1342183 for Corrections Instructions

SAP Note 1355614 - IS-M/ PMD: Obsolete source code in master data generator

Symptom
This note is important for you if you use the IS-M master data generator through transaction JPMDG2. Obsolete source code segments were removed. These contain ABAP language elements that require development authorization. Up to now, a person who did not have development authorization could insert source code in the system. After you implement this note, unintentionally inserting source code is no longer possible.
Other terms
ISMPMD, JPMDG2
Reason and Prerequisites
This problem is due to a program error.
Solution
Implement the correction instructions relevant for your release.

Affected Releases

Software Component Release From Release To Release And subsequent IS-M 402 402 402   IS-M 464 464 464   IS-M 471 471 471   IS-M 472 472 472   IS-M 600 600 600   IS-M 602 602 602   IS-M 603 603 603   IS-M 604 604 604

Check https://service.sap.com/sap/support/notes/1355614 for Correction delivered in Support Package & Corrections Instructions