sapnote_0000888889

07.12.2011 of 13

SAP Note 888889 - Automatic checks for security notesusing RSECNOTE

Note Language: English Version: 15 Validity: Valid Since 30.04.2010

Summary

SymptomThe SAP EarlyWatch Alert report contains selected checks about "Security".Among other things, there is a check to determine whether or not selectedand required security-relevant notes or HotNews have been implemented inthe system. The report displays an overall status. An administrator usesthe tool RSECNOTE to create the detailed evaluation of the requiredsecurity-relevant notes in the system to be analyzed.

This note responds to the following situations:

o In the SAP EarlyWatch Alert report, the "Service Preparation Check"unit complains that Note 888889 is not implemented. As a result,the check for security-relevant notes can only be carried outpartially in the "Security" section.

o You want to use the tool RSECNOTE to check the implementationstatus of security-relevant notes in your system. However, thistool is not yet available in your system.

o You require detailed information on implementing and executing thetool RSECNOTE, and on interpreting the results.

o You call transaction ST13. In the F4 help for the "Tool Name"field, the entry RSECNOTE is missing. If you manually enterRSECNOTE and then execute it, the system issues the message "Thetool RSECNOTE does not exist".

o The tool RTCCTOOL shows that the tool RSECNOTE is missing.

Other termsEarlyWatch Alert, EWA, security, RSECNOTE, RTCCTOOL, ST13

Reason and PrerequisitesThe tool RSECNOTE is part of the software component ST-A/PI as of Release01M_*. Correction instructions are available for the installation inRelease 01L_*.

As of Support Package 3 for the Service Content Plug-In ST-SER 701_2008_2,various services in the Solution Manager require the tool RSECNOTE on themanaged system to check whether or not security-relevant notes areimplemented.

The service report shows that this tool is missing and makes reference tothis present Note 888889.

SolutionBelow you will find:- a guide to implementing the tool RSECNOTE- documentation on using the tool and information about the background andfurther procedures

07.12.2011 of 13


Guide for creating the tool RSECNOTE

1. Install the tool RSECNOTE in all systems in which you want to use thetool. SAP recommends that you install Release 01M_* of the softwarecomponent ST-A/PI. See Note 69455 for more information.You can also install the tool RSECNOTE in Release 01L_* byimplementing the correction instructions using transaction SNOTE. Goto "System Change Option" in transaction SE06 and set the softwarecomponent ST-A/PI and the namespaces/name ranges "General SAP NameRange", /SSA/, and /SSF/ to "Modifiable". Enter /SSA/RTC if you areasked to specify a main program for /SSA/INT.

2. Assign the following authorizations to all the users for whom you wantto provide access to the tool.

Object Field ValueS_TCODE TCD ST13

S_ADMI_FCD S_ADMI_FCD ST0R

S_PTCH_ADM TABLE ' (or empty)COMPONENT SECURITY-CHECKACTVT 02 (change)

Documentation for the tool RSECNOTE

You use transaction ST13 to start the tool RSECNOTE. In transaction ST13,select the tool and start it by choosing "Execute" or F8.Comment: As of SAP_BASIS Release 620 Support Package 55, SAP_BASIS Release640 Support Package 13, SAP_BASIS Release 700 and subsequent releases, youcan also start the tool as the report RSECNOTE by using transaction SA38,for example.

As a result of the tool RSECNOTE, notes that contain security correctionsand notes that are relevant for your system due to the existing softwarecomponents (taking the releases and the Support Packages into account) aredisplayed.

The report shows the following three sections:

o "Missing recommendations"This section shows the required security-relevant SAP Notes andHotNews.HotNews are flagged with a red traffic light and notes are flaggedwith a yellow traffic light.

o "Manually confirmed recommendations"Report messages can also be confirmed manually. This should onlyhappen in exceptional cases that require it.For example: You cannot implement a specific note using transactionSNOTE because you manually changed the affected program beforehand.In this case, implement the corrections manually and confirm themessage.

o "Successfully implemented recommendations"

07.12.2011 of 13


This section shows the security-relevant notes and HotNews that arerequired for the system and that are implemented successfully.A note or a HotNews is no longer required if your system release orSupport Package level already contains the correction. After thesystem is upgraded or Support Packages are imported, a note thatwas implemented earlier may no longer be listed.

List of security-relevant notes that are checked

The tool RSECNOTE checks security-relevant notes or HotNews that areentered as related notes in this present note.

For Note 1298433 "Security note: Bypassing security in reginfo & secinfo",however, the system checks only that at least the required kernel patch isinstalled. It does not check whether the gateway has also been safeguarded.

An overview of other security-relevant notes or HotNews is provided on theSAP Service Marketplace under the quick link /SECURITYNOTES(https://service.sap.com/securitynotes).

Updating recommendations

The quantity of checked notes or HotNews is managed online by SAP. During acheck, a system loads the list automatically using the service connectionto SAPNet once a day. You can also use the tool RSECNOTE to update the listmanually (menu path: List -> Refresh from SAPNet).

If the system to be checked does not have an online connection to SAPNet,then you can also use a transport to import the current recommendationsfrom another system that has a connection to SAPNet. To do this, create a"Transport of Copies" and enter the object key R3TR TABU /SSF/PTAB. EnterND* as the table key. This means that all recommendations are selected,including the recommendations for the tools RTCCTOOL and RSECNOTE. Makesure that you have specified a table key. Start the tool RTCCTOOL orRSECNOTE before you export the transport request, to update therecommendations.

Attached to this note is the fileTransport_Files_<date>.zip, which contains the recommendations for the toolRSECNOTE for the specified date. Use the transport files contained in it ifyou do not have any systems that have an online connection to SAPNet.

EarlyWatch Alert report

The SAP EarlyWatch Alert report also provides a summary of the results ofthe tool RSECNOTE. For further information on the SAP EarlyWatch Alertreport, see Note 863362.

Note Assistant

You can use the Note Assistant (transaction SNOTE) to implement thecorrection instructions. You can find additional information about the Note

07.12.2011 of 13


Assistant on SAP Service Marketplace under the quick link /NOTE-ASSISTANT(https://service.sap.com/note-assistant).

Header Data

Release Status: Released for CustomerReleased on: 03.05.2010 07:08:40Master Language: GermanPriority: Recommendations/additional infoCategory: Advance developmentPrimary Component: SV-SMG-SER SAP Support Services

Secondary Components:XX-INT-SR Security Response

Valid Releases

Software Component Release FromRelease

ToRelease

andSubsequent

ST-A/PI BASIS_46B 01L_BCO46B

01M_BCO46B

ST-A/PI BASIS_46C 01L_BCO46C

01M_BCO46C

ST-A/PI BASIS_46D 01L_BCO46D

01M_BCO46D

ST-A/PI BASIS_610 01L_BCO610

01M_BCO610


01M_BCO620


01M_BCO640

ST-A/PI R3_40B 01L_R3_40B

01M_R3_40B


01M_R3_45B


01M_R3_46B

ST-A/PI R3_46C 01L_R3_46C

01M_R3_46C

ST-A/PI R3_470 01L_R3_470

01M_R3_470

ST-A/PI APO_30A 01L_APO30A

01M_APO30A

ST-A/PI APO_310 01L_APO310

01M_APO310

ST-A/PI SCM_400 01L_SCM400

01M_SCM400

ST-A/PI BBPCRM_300

01L_CRM300

01M_CRM300

07.12.2011 of 13


Software Component Release FromRelease

ToRelease

andSubsequent

ST-A/PI BBPCRM_315

01L_CRM315

01M_CRM315

ST-A/PI BBPCRM_400

01L_CRM400

01M_CRM400


01M_SCM410

ST-A/PI ECC_500 01L_ECC500

01M_ECC500


01M_BCO700

ST-A/PI ECC_600 01L_ECC600

01M_ECC600


01M_SCM570


01M_BCO710

ST-A/PI CRM_570 01L_CRM570

01M_CRM570

ST-A/PI BASIS_720 01M_BCO720

01M_BCO720

Related Notes

Number Short Text

1632020 Missing authorization check in ABAP Language

1631460 Directory Traversal in ABAP Debugger

1631458 Missing authorization check in ABAP Debugger

1625060 Missing authorization check in component IS-B-BCA

1616366 Missing Authorization Check in BC-CCM-MON

1616301 Missing authorization check in Contract Management

1614719 Missing authorization check in ETM planning

1612983 Unauthorized use of appl. functions in mobile extension

1612690 Code injection vulnerability in WD ABAP ALV

1610299 Unauthorized change to contents in PI message monitoring

1607721 Unauthorized modification of displayed content in Unicode Co

1602039 Missing Authorization Check in IS-B-BCA

1599072 Directory traversal in RE-BD

1596147 Unauthorized modification of displayed content in ABAP Help

1595074 Missing authorization check in function group SAL3

1594644 Potential disclosure of persisted data in the monitors

1592669 Hard-coded user name in Retail industry solution for India

1592312 Code injection vulnerability in EC-EIS

1592029 Missing authorization check in customer master data

1591813 Potential disclosure of persisted data in test code

1591349 Missing authorization check in BRF

1591146 Missing authorization check in profile maintenance module

07.12.2011 of 13


Number Short Text

1591048 QPAP: Potential modification or disclosure of persisted data

1590863 Potential modification/disclosure of persisted data i.CRM-IU

1590837 Directory traversal in Deposits Management

1590272 Unauthorized modification of stored content:hrrcf_searchhlp

1589919 Hard-coded credentials in Function Builder

1589882 Potential disclosure of persisted data in account

1589355 Directory traversal in Bank Analyzer

1588869 Potential disclosure of persisted data in FIN-FSCM-TRM

1588744 Potential disclosure of persisted data in the card contract

1586739 Hard-coded credentials in FI-FM

1584857 Missing authorization check in credit standing review- cards

1584549 Directory traversal in function group SUGPEWA

1584383 Directory traversal in Bank Analyzer

1584170 Code injection vulnerability in component Bank Analyzer

1584002 Unauthorized modification of contents displayed in ICF

1583301 Missing authorization check in Loans Management

1583286 Poss. disclosure of authorization verifications in RSTXSCRP

1583235 Unauthorized modification of displayed content

1581717 Potential disclosure of persisted data in BW RFC

1581644 Unauthorized modification of displayed content in CRM-BPS

1580874 Directory traversal in ABAP Syntax Checking

1580132 Code injection vulnerability in FS-BA-TO-DE

1580130 Code injection vulnerability in FS-BA-SRV

1580017 Code injection vulnerability in TH_GREP

1578473 Directory Traversal in Unicode Migration Tools

1578393 Hard-coded credentials in BC-SRV-KPR-DMF

1578067 Hard-coded credentials in CA-GTF-RCM

1577155 Unauthorized modif. of displayed content in WD trace tool

1576055 Dangerous ABAP Commands; DELETE REPORT in RSBTCDRP

1575006 Directory Traversal in SPOOL System

1574226 Unauthorized modification of displayed content in IC Manager

1572714 Missing Authorization Check in Profile Parameter Handling

1572346 Hard-coded credentials in ABAP Test Cockpit

1572345 Hard-coded credentials in ABAP Task Handler

1572340 Directory traversal in PSE function modules

1572325 Unauthorized modification of displayed content in BW

1572152 Potential ABAP code generation w/o logging

1571944 Missing Authorization Check in ABAP Workbench

1570717 Hard-coded credentials in ABAP Workbench

1570374 Missing Authorization Check in Package Builder

1569550 Unauthorized execution of functions in transaction BAPI

1569300 Potential Denial of Service in translation tools funct.

1568674 Code injection vulnerability in CRM_UBB_LAE_EDIT_CONTENT

1567882 Missing authorization check in BW RFC

1567747 Potential disclosure of persisted data in Bank Analyzer

07.12.2011 of 13


Number Short Text


1567630 Unauthorized modification of displayed content in BC-DOC-TTL

1565444 Missing authorization check in Output Server

1565397 Unauthorized modification of content in BSP DSWP_URL_LAUNCH

1563110 Potential information disclosure relating to FM TH_GREP

1562171 Information disclosure within transportation management

1561545 Update #2 to Security Note 1531669

1560649 Hard-coded credentials in BCS

1560605 Unauthorized modification of stored content in ST

1560538 Missing authorization check in SCM-APO-INT

1560331 Directory traversal in ABAP Language

1559623 Missing authorization check in CMBankCard

1557197 Missing authorization check in portal connection

1556749 Unauthorized execution of functions in SAP system

1555846 Missing authorization check in WD ABAP tracing tool

1554030 Missing authorization check in fumo EPS_DELETE_FILE

1553930 Potential denial of service in NetWeaver application server

1553872 Potentl modification or disclosure of persist. data in FS-BA

1553868 Potentl modification or disclosure of persist. data in FS-BA

1553184 Potential disclosure of persisted data in PFW

1553043 Potential disclosure of persisted data in FS-BA-AN-STA

1552504 Potential disclosure of persisted data in Result Database

1551544 Potential modification or disclosure of data in FSAPPL

1549999 Missing authorization check in the workflow analysis

1548848 Potential information disclosure relating to user/processes

1547271 Missing authorization check in RFC with call transaction

1543318 Potential remote termination of running processes in kernel

1542645 Users with hardcoded name & password created in BC-DOC-TER

1538382 Potential modification of persisted data in Business Config.

1538218 Potential information disclosure relating to security by WDA

1537753 Missing Authorization Check in LO-MAP

1536640 WebReporting:Unauthorized modification of displayed content

1536491 ALE: Missing authorization check in ALE monitoring tool

1536091 Missing Authorization Check in Change logs component.

1533470 Missing authorization check in Cash Management

1531752 Directory traversal in Condition tool

1531669 Missing Authorization Check

1530392 Missing Authorization Check in SW-Delivery tools

1529573 Directory Traversal in Bank Analyzer Correction Server

1528863 Update #1 to Security Note 1436936

1528822 Missing authorization check in WebReporting


1525695 Update #1 for Note 587410: Missing Authorization Check SE37

1525328 Potential information disclosure by the message server

1523808 Missing authorization check in CATT or eCATT

07.12.2011 of 13


Number Short Text

1521786 Fixing directory traversal vulnerabilities

1520781 Potential disclosure and modification of code and data

1520462 Unauthorized call of operating system command

1520043 RFC call cat_r2_tab_res without authorization

1518792 Potential disclosure of persisted data in ESFUtil.

1518682 Directory Traversal in ABAP-Debugger-Utilities

1514385 Directory Traversal in Report RSDBGENA

1513952 Missing Authorization Check in AP-PPE-SCM

1512134 Unauthorized modification of displayed content in ITS

1511436 Code injection vulnerability in Relationship and Reliability

1511107 Executing freely determined code using transaction SE37

1510704 Missing Authorization Check in AFX Workbench report

1507903 Filtering user input when working with MEQUI index table

1506970 Code injection vulnerability in SRM basis objects

1506767 Directory Traversal in Transport Organizer Web UI

1504090 Code injection vulnerability in SCM-APO-PPS

1504016 Directory Traversal in BC-DOC-DTL

1503375 ED: Code injection vulnerability in functionality 'Other'

1502781 Unauthorized modification of displayed content in BSP

1502579 Potential change or discl. of persisted data: SAP_BASIS(FSI)

1499901 Executing arbitrary code with RSNROGEN

1499051 DBACockpit: Weak authorization checks in SQL Command Editor

1498913 PFO : Authority check for business object

1497622 EC-EIS: Loading any source code using FM KXXC_DOWNLOAD

1497104 Protect access to PSE files by additional AUTHORITY-CHECK

1496092 Unauthorized read-access to database

1496038 Unsecure standard configuration

1495570 Security: Execution of any source code

1494046 Code injection vulnerability in time rule programm

1493911 Missing Authorization Check in SW-Delivery tools

1493634 Transaction calls from reporting

1493516 Correcting buffer overflow in ABAP system call

1493101 Code injection vulnerability in FERCC001

1492434 Executing arbitrary code using report RIWP_VIEW_GENERATE

1490437 Corrections for ST-PI

1488159 SUIM RSUSR003 incorrect results for CODVN = 'F'

1488057 Potential disclosure & modif of persisted data in IS-DFS-BIT

1488038 Unauthorized usage of test tool of system login

1487330 Potential remote code execution in SAP Kernel

1487212 Potential modification or disclosure ofpersisted data PLM-RM

1486918 Code Injection vulnerability in CRM-ACP-APL

1484930 Saved data may be disclosed and changed

1484918 Potential modification of data in IPC Database Interface

1484743 Hard-coded logon information in CL_CRM_ISU_ORDE...

1484712 Directory traversal in CRM_EDR_UPLOAD_DATA/-DOWNLOAD_DATA

07.12.2011 of 13


Number Short Text

1484711 Unauthorized change of displayed contents in IUBOTRCP

1484709 Unauthorized change of displayed contents in CRM_ITIC

1482118 Unauthorized change to data displayed in BPS planning

1481802 Potential disclosure and modification of persisted data

1481405 Hard-coded credentials in RFBYPASS

1481254 Program generator performance RE-FX

1480653 Potential disclosure and modification of persisted data

1479762 Missing authority check in SAP_RSADMIN_MAINTAIN

1479310 EC-PCA: Using FM ZPCA_UPLOAD to load any source code

1478978 Potential disclosure of DB data in CL_BBP_PERSIST_EVENT_CONT

1478860 Unauthorized modification of displayed content in ROS

1478756 Executing any source code in CO-PC reporting

1478420 FPE2M: Missing Authorization Check

1475481 Unauthorized modification of stored content in signature BSP

1474853 BCE: Secure Business Content Environment

1473881 Usage of transaction UASE16N

1473520 Missing authorization check in coinsurance reporting

1472807 Hard-coded credentials in BRF

1472395 Unauthorized change of stored contents (agency collections)

1470854 Security fix for tools for the Analysis Cockpit

1470350 Code injection vulnerability/Missing Auth-check in SRM

1470094 Authorization check in report H99_B2AFILE missing

1469982 Code injection vulnerability in ECC and SAP R/3

1469845 Missing authorization check in RMA

1469707 Saved data may be disclosed and changed

1469549 RFC: Work processes terminate in the XML parser

1467896 Unauthorized use of application functions in ICM

1466156 Missing Authorization Check in a BTE application

1465138 Change mode in SAT / SE30 "Tips & Tricks"

1463392 Potential disclosure,modification of persisted data in BRF+.

1463037 Hard-coded credentials in Class /FRE/FU_CL_TS_SERVICES

1462417 Missing authorization check in RFC module

1462348 Authorization check for transaction calls in program

1460043 Unsuitable authorization check in transaction SE24

1458820 The program contains Hardcoded username

1456569 Potential modification of persisted data

1453938 Potential information disclosure relating to WebDynpro ABAP


1453605 Potential information disclosure relating to ECC and SAP R/3



1453457 WebReporting: Unauthorized modification of displayed content

1453164 Missing authorization check in module of upgrade

1452661 Code injection vulnerability in ECC PT PSM-FM Add-On

1451581 Logging of configuration changes not enabled

07.12.2011 of 13


Number Short Text

1450270 Unauthorized modification of displayed content in BSP


1449574 Function module for reading batch input files

1449516 CRM Pharma: Log data changes in tables

1447671 Cross Site Scripting in BSP

1447622 Cross Site Scripting in BSP

1446869 Activate configuration logging for DAM tables

1446276 CTC: Table White Lists and Authorization Checks

1445407 Program can be used by specific users

1443973 WDA: Application configurations

1443934 Security fix for event determination program

1442580 Potential disclosure of authentication information

1442498 Information obtainable about Web Dynpro ABAP applications

1441953 Logon data can be discovered: XSS

1441945 Authorization check incomplete in XI/PI administration

1440345 Load balancer reveals backend server information

1439983 Disable S_TCC_* functions for heightened security

1437237 Explicitly coded user names in Web Dynpro

1437224 RMA: Security standard is not implemented

1436936 Unauthorized changes can be made to Web Dynpro ABAP session

1435655 Number of cryptographic bits increased in sap-contextid

1431790 Security fixes for SRM Legal Contract Authoring Duet applica

1431615 User-defined message search: Authorization for test

1430970 Unauthorized executing of functions in Web Dynpro ABAP

1429954 Hardcoded usernames in SCC

1429301 Missing authority check in APO transaction

1429198 Missing authorization check in RSUDO for "Execute as"

1428998 Missing authority check in Demand Planning transaction

1428526 Hardcoded usernames in APO

1428034 CLP: Missing Authorization Checks

1427914 Security Note : Leftover Debug Code

1427010 Unauthorized access to source-of-supply determination prgram

1427009 Unauthorized access to view procurement document

1427008 Authorization check for SRM Analysis Cockpit Tool

1426388 Security fixes for SRM DUET PUMA scenario

1425215 Security Note Missing Authority Check for Call Transaction

1425123 Missing authority check in BOP

1425122 Security Note: Generic Table Access

1424714 Missing Authorization Check in TA /SAPAPO/AMON2

1423936 Missing authority check in Supply Chain Cockpit/Engineer

1423413 Authorization check for FI-CA transactions FP03F/FP03L/FP03H

1423059 Security Fixes for SRM Analysis Cockpit Tool

1422737 Directory traversal vulnerability with statistic traces

1422572 Unauthorized change of displayed contents

1421432 Security problems due to dynamic SQL

07.12.2011 of 13


Number Short Text

1421005 Secure configuration of the message server

1420623 MOpz: Potential information disclosure relating to passwords

1420281 CO-OM tools: SE16N: Deactivating &SAP_EDIT

1419261 Error during Credit card Encryption not propagated in TR BP.

1418848 Authorization check for S_RFC_ADM in RSRFCPIN and RSRFCCHK

1418032 Potential Security Issues in SAP Solution Manager

1418031 Potential Security Issues in SAP Solution Manager

1417696 Unauthorized modif. of displayed content in MIC start page

1417568 Unauthorized change of contents in CERTREQ and CERTMAP

1415665 SQL injection in Solution Documentation Assistant

1415547 Security corrections ST-SER 2008.2

1415148 Missing Input Validation in Business-Explorer

1414444 sapstartsrv unstable

1414256 Changing TMSADM password is too complex

1414112 Security: Buffer overflow

1414089 Potential disclosure of authentication information in XI

1414059 Missing authorization check in a BW report

1411818 Handling Authorization concerns due to Note1030838 & 1381945

1411701 Generic ABAP function calls

1411659 Security fixes for SRM SUS, Vendor Evaluation, SRM ROS

1410798 Missing logging in transactn for totals document correction

1409234 Security:Actions can be executed/transactions can be started

1409141 Missing authority check in Data Consistency Framework

1407896 Missing authority check in Checktool within ECC

1407841 Dynamic Report Generation, Arbitrary Value Processing

1406435 Missing authorization check in FM PRGN_INTERFACE_USER

1392352 Security note: Cross-site scripting

1388864 ABAP web services authorization check does not work

1387576 CO-OM tools: SE16N: Authorization checks in view maintenance

1387574 Possible SQL injection in Persistence Service

1375125 Report BEFG_TEMPLATE_CREATE must not be used in production

1363631 BADI BUPA_F4_AUGRP does not filter BP's in search

1363371 FS-CD: Missing authorization checks SAPRGEN_CD

1362972 Industry Solution Migration Workbench: Authorization check

1361038 Report RJ-JXINI generates unnecessary source code

1357370 No authorization check for editor

1355614 IS-M/ PMD: Obsolete source code in master data generator

1343029 Unauthorized modification of displayed content in SHP

1342183 Security information: Transaction FIAAHELP

1340457 Security Note: Encoding fix for technical hidden fields

1339620 Security note:Cross Site Scripting (XSS) in cFolders

1339326 F&R: Remove hardcoded user name branches in code (security)

1336947 Security correction: Username hard coded

1335926 Some Fields are susceptible to Cross-site scripting

1335103 Security correction: removal of hardcoded user names

07.12.2011 of 13


Number Short Text

1334396 Security Checks: Removal of hardcoded user names

1334244 Some Fields are susceptible to Cross-site scripting.

1333668 Security Checks: Model Mix Planning

1330776 Security note: Files transferrable to EPS inbox w/o auth.

1329090 Security Note: Deactivate parameter sap-wd-ssrConsole

1327917 Authorizatn check for transactions FPSEC1/FPSEC2/FPSEC3

1315883 RSUSR003: Standard passwords for hash code versions H and I

1310174 Authority check missing

1306604 /SAPAPO/MC62 authorization for creating CVCs

1304803 Security note: Changing a transport without authorization

1302928 Field Level Authorizations Not Being Checked in CASE

1298433 Bypassing security in reginfo & secinfo

1298160 Security note: Forbidden program execution possible

1294675 Location: Authorization Check for Planning Version

1294431 Anchor links are generated with unwanted HTTP href address

1292875 Security note:Cross Site Scripting (XSS) in cFolders

1287570 BBP_QUOT: Cross-Site Scripting ( XSS )

1284360 Security Note: Cross Site Scripting (XSS) in cFolders

1275278 Security: HTML Encoding missing over the inputField tooltip

1271688 Security: Authorization check for technical help

1267878 Cross-site scripting error in BBP_POC

1265043 S_TCODE Authority check on T000 by SM30

1262016 Missing authority check in APO transaction.

1261319 Help Center user name in the URL

1259881 Prevent "Webadmin" task from system admin

1259414 Cross Site Scripting:PCUI Stored JavaScript Vulnerability

1243004 Security Note: Missing SYSLOG entries for ABAP Debugging

1235367 Missing authority check in APO transaction.

1232490 Authorization check SE80 for where-used list

1229303 Security note: Security gap in ACO_BSP_ADMIN

1224599 WDP: Performance problems or increase in handle consumption

1170353 Security update: SAP Web Dispatcher

1168813 Security note: Program DISPLAY_FUNC_INCLUDE

1167258 Security note: Program RS_REPAIR_SOURCE

1161689 Security note: aco_bsp_admin: Start only with ICF auth.

1159009 Security Note:RSDB2CMD switched to RSBDCOS0

1158063 P18:Security Note:RSSM_EXEC_COMMAND converted to RSBDCOS0

1151557 Security: External theme root not html escaped

1146690 Security Note: Passwords in SLD ABAP API

1145873 Security note: Security problem with FileDownload

1143177 Cache settings incorrect for WebDynpro ABAP

1142067 Missing authorization check for hidden functions

1136823 SOBJ: Display of object directory permits changes

1136770 Security note: ICF system login

1133739 Security note: Security gap in Data Browser (SE16)

07.12.2011 of 13


Number Short Text

1129536 SCMA - Missing authorization check in Schedule Manager

1120760 Security note: Missing authorization check for Web services

1115699 CO-OM Tools: SE16N: Adapting to SE16

1085326 Security Note: Check for 'System -> Status' (SE80)

1072946 Gateway: Bypassing monitor commands

1060643 Security note: Hijacking/sys. login: New login after refresh

1058531 BBPSC: Cross-site scripting error

1022102 Executing JavaScripts in logon data

957038 Security gap in cross-site scripting

Attachments

FileType

File Name Language Size

ZIP Note_888889_Transport_2011_08.zip E 852 KB

Correction Instructions

CorrectionInstructions

Validfrom

Validto

SoftwareComponent

Type*)

ReferenceCorrection

LastChanged

768388 01L_APO30A

01L_SCM570

ST-A/PI C GSBK900259 18.05.200900:50:42

769761 01L_BCO620

01L_SCM570

ST-A/PI C GSBK900261 18.05.200900:48:23

*) C Correction, B Preprocessing, A Postprocessing, M Undefined Work

sapnote_0000888889

Documents

Transcript of sapnote_0000888889