SAP Note 1304803 - Security note: Changing a transport without authorization

Symptom
Certain reports that do not have an authorization check can create or change transport requests and change the piece list of a request.
This is a security breach.


Other terms
Security breach


Reason and Prerequisites
This problem is caused by a delivery error.


Solution
Use the Note Assistant to implement the correction instructions or import the relevant Support Package.

If the report TH_E070E also exists in your system, delete it manually. For technical reasons, we cannot provide general correction instructions for this report.
If the package STRW does not exist in your system, you must first call transaction SE03 -> "Change Object Directory Entries" and change the package from R3TR PROG TH_E070E to SDEL.
In this case, the package change must be transported together with the deletion of the report.

The correction does not influence the normal functioning of the Transport Organizer (transactions SE01, SE09 or SE10) or other applications.
The Transport Organizer does not use the reports in any way.

We strongly recommend that you implement this note to eliminate this security flaw.

Affected Releases

Software Component Release From Release To Release And subsequent SAP_BASIS 46 46C 46D   SAP_BASIS 60 610 640   SAP_BASIS 70 700 702   SAP_BASIS 71 710 720

Correction delivered in Support Package

Support Packages Release Package Name SAP_BASIS 46C SAPKB46C58 SAP_BASIS 620 SAPKB62066 SAP_BASIS 640 SAPKB64024 SAP_BASIS 700 SAPKB70019 SAP_BASIS 701 SAPKB70104 SAP_BASIS 710 SAPKB71008 SAP_BASIS 711 SAPKB71102

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 1083766 46C 711 SAP_BASIS 13.02.2009  14:56:46