Description
Cross Site Request Forgery is an attack that targets web applications. For details about this attack please see this wikipedia article: http://en.wikipedia.org/wiki/XSRF.
This SAP note describes a generic protection scheme to protect BSP applications against this kind of attack. Please note that in order to activate the XSRF protection for custom BSP applications not delivered by SAP, you have to configure each of your custom BSP applications as described below.
This SAP note is only relevant for you, if you are using BSP services provided by SAP or if you developed your own custom BSP services. If this is not the case, you can ignore this SAP note.
********************************************************************************************** W A R N I N G *********************************
***********************************************************************
SAP recommends to apply the following support packages:
6.20 SAPKB62069 + correction instruction 946339 from this note
6.40 SAPKB64027
7.00 SAPKB70023
7.01 SAPKB70108
7.02 SAPKB70206
7.10 SAPKB71012
7.11 SAPKB71107
7.20 SAPKB72004
If you cannot apply the support packages, you can use the transport files attached to SAP note 1532403 for the releases 6.20, 6.40, 7.00, 7.01, 7.10 and 7.11. But please be aware, that after importing the transports you will no longer be able to apply SNOTE corrections for objects you imported with one of these transports, as long as you do not apply the support packages listed above.
Example:
You have a system with SAPKB70020 and you applied the transport. If you decide to upgrade the system to a higher SP level it is required to apply SAPKB70021, SAPKB70022 and SAPKB70023. Otherwise due to the transport the objects which are part of the transport might remain an inconsistent state.
The recommendation is therefore to apply the support package and not to use the transport files from SAP note 1532403.
***********************************************************************
***********************************************************************
***********************************************************************
In order to protect BSP applications generically against this type of attack, SAP provides a generic protection framework for web applications which are build on BSP technology. This information should inform customers of SAP what steps are required to protect custom BSP services written by SAP customers.
Available fix and Supported packages
- SAP_BASIS | 620 | 640
- SAP_BASIS | 700 | 702
- SAP_BASIS | 710 | 730
- SAP_BASIS 702 | SAPKB70205 |
- SAP_BASIS 710 | SAPKB71011 |
- SAP_BASIS 711 | SAPKB71106 |
- SAP_BASIS 620 | SAPKB62069 |
- SAP_BASIS 720 | SAPKB72004 |
- SAP_BASIS 640 | SAPKB64027 |
- SAP_BASIS 700 | SAPKB70023 |
- SAP_BASIS 701 | SAPKB70108 |
- SAP_BASIS 730 | SAPKB73001 |
- SAP_BASIS 702 | SAPKB70206 |
- SAP_BASIS 730 | SAPKB73002 |
- SAP_BASIS 620 | SAPKB62070 |
- SAP_BASIS 710 | SAPKB71012 |
- SAP_BASIS 702 | SAPKB70207 |
- SAP_BASIS 711 | SAPKB71107 |
- SAP_BASIS 700 | SAPKB70024 |
Affected component
- BC-BSP
Business Server Pages
CVSS
Score: 0
Exploit
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/1458171
