Symptom
The program BEFG_TEMPLATE_CREATE can be used to modify a standard template of the Billing Engine Framework in the production system.
Authorization checks are not performed before executing this program. Although a potential attacker must be able to transport his modifications into the system before executing the program BEFG_TEMPLATE_CREATE. User input is not accepted directly.
Thus the potential risk exists that also the business behavior of
the billing application is influenced in the production system.
Reason and Prerequisites
The program was developed as part of the Billing Engine Framework to utilize developers converting function modules or programs into templates. Those templates cannot be executed in any system, but are the basis for the Framework to generate the corresponding objects of the Billing Engine Application. This could be again either a function module or a program.
The potential security issue exists, that the program is executed in the productive system and modifies the template of an existing object of the Billing application. Therefore a function module or program must be part of the production which can be used as source for the template information.
If a user has the permission to regenerate the billing application
(which requires authorization object BEF_META), the programs of the
productive Billing application can be changed as well.
Solution
The program BEFG_TEMPLATE_CREATE is enhanced that it cannot be
executed in a production system. In addition the corresponding permission of authorization object BEF_META is checked.
Apply correction instruction.
https://service.sap.com/sap/support/notes/1375125
The program BEFG_TEMPLATE_CREATE can be used to modify a standard template of the Billing Engine Framework in the production system.
Authorization checks are not performed before executing this program. Although a potential attacker must be able to transport his modifications into the system before executing the program BEFG_TEMPLATE_CREATE. User input is not accepted directly.
Thus the potential risk exists that also the business behavior of
the billing application is influenced in the production system.
Reason and Prerequisites
The program was developed as part of the Billing Engine Framework to utilize developers converting function modules or programs into templates. Those templates cannot be executed in any system, but are the basis for the Framework to generate the corresponding objects of the Billing Engine Application. This could be again either a function module or a program.
The potential security issue exists, that the program is executed in the productive system and modifies the template of an existing object of the Billing application. Therefore a function module or program must be part of the production which can be used as source for the template information.
If a user has the permission to regenerate the billing application
(which requires authorization object BEF_META), the programs of the
productive Billing application can be changed as well.
Solution
The program BEFG_TEMPLATE_CREATE is enhanced that it cannot be
executed in a production system. In addition the corresponding permission of authorization object BEF_META is checked.
Apply correction instruction.
https://service.sap.com/sap/support/notes/1375125
No comments:
Post a Comment