SAP Note 1292875 - Security note:Cross Site Scripting (XSS) in cFolders

Symptom

This SAP Security Note describes how to reduce the risk of possible cross-site scripting (XSS) attacks in cFolders.

In general all Web Servers, that accept input parameters via http requests, dynamically generate html pages based on these inputs and then return this dynamically generated content as response to the client (browser), are potentially vulnerable to "Cross Site Scripting" attacks

Under some circumstances Java Script code can be injected with URL as a Parameter. This can show some abrupt behavior in cFolders application on page me_ov.htm and col_table_filter.htm


Other terms
Security vulnerabilities, Cross site scripting, XSS, CSS, me_ov.htm, col_table_filter.htm


Reason and Prerequisites
Program error


Solution
Please apply the correction instruction to resolve the issue

Affected Releases

Software Component Release From Release To Release And subsequent CPROJECTS 310 310_620 310_640   CPRXRPM 400 400 400   CPRXRPM 450_700 450_700 450_700

Correction delivered in Support Package

Support Packages Release Package Name CPROJECTS 310_620 SAPK-31218INCPROJECT CPROJECTS 310_640 SAPK-31418INCPROJECT CPRXRPM 400 SAPK-40016INCPRXRPM CPRXRPM 450_700 SAPK-45007INCPRXRPM

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 1178286 310_620 310_620 CPROJECTS 21.12.2009  05:44:31 1178286 310_640 310_640 CPROJECTS 21.12.2009  05:44:31 1060130 450_700 450_700 CPRXRPM 09.01.2009  16:57:14 1061384 400 400 CPRXRPM 13.01.2009  09:08:27

Direct Link : https://service.sap.com/sap/support/notes/1292875