Date post: | 13-Apr-2015 |
Category: |
Documents |
Upload: | carlos-gomez |
View: | 301 times |
Download: | 0 times |
28.02.2013 Page 1 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Note Language: English Version: 16 Validity: Valid Since 02.02.2011
Summary
SymptomThis Security Note has been updated. See the following notes for details:
1. 1542033
Potential directory traversals in applications using physical file names orlogical file names as input.
Other termspath traversal, FILE_VALIDATE_NAME, FILE_GET_NAME, FILE, SF01,FILE_NOT_FOUND, LOGICAL_FILENAME_NOT_FOUND, VALIDATION_FAILED, SG 001, 805,806, 807, 808, 809
Reason and PrerequisitesSome SAP applications contain vulnerabilities through which a malicioususer can potentially read or write arbitrary files on the applicationserver, possibly disclosing confidential information or corrupting data oraltering system behavior. The problem is typically caused by userinterfaces that allow input of a physical file name, or selection of anarbitrary logical file name.
Important NoteIf you do not carry out the steps as described in note 1497003 you willcreate a syntax error in one of the central function groups ofyour system and make your system unusable. Please refer to note1550116 for additional information.
SolutionIn order to address this issue without disrupting established processes,SAP introduces the following enhancements to the ABAP runtime (KERNEL andSAP_BASIS):
1. All file system paths are normalized before checks againstauthorization object S_DATASET or customizing table SPTH areperformed. Normalization means, that:
a) Redundant '.'s are removed (e.g. a/./b => a/b).
b) Path components followed by '..' are removed (e.g. a/b/../c => a/c)- Note that for links this semantic is not identical to following.. on the real file system. SAP recommends not to use .. and inparticular not the combination of .. and links.
c) If a platform supports different path separators, path separatorsare replaced by their default representation (Windows allows either'/' or '\', so a/b\c => a\b\c)
2. Comparison against paths in authorization checks will be caseinsensitive on Windows, as Windows doesn't distinguish letter case infile names.
28.02.2013 Page 2 of 40
SAP Note 1497003 - Potential directory traversals inapplications
3. Flags FS_NOREAD and FS_NOWRITE and checks against authorization objectS_PATH are implemented as described in the Online Documentation, e.g.athttp://help.sap.com/saphelp_nw70/helpdata/en/fc/eb3d69358411d1829f0000e829fbfe/frameset.htm (for NetWeaver 7.0)orhttp://help.sap.com/saphelp_bw/helpdata/en/fc/eb3d69358411d1829f0000e829fbfe/frameset.htm (for BW)
4. A mechanism to validate physical file names against a logical filename, giving administrators the option to configure directories thatare valid in the respective application context. For user interfacesthat allow input of a logical file name, adminstrators can define aset of aliases of logical file names valid within that scenario.Please refer to the documentation on logical file names for moreinformation on this indirection mechanism. The documentation is alsoattached to this note as a PDF file.
5. Please note that this mechanism does not ensure security unless youconfigure physical file names or aliases, thus enforcing validation.In order to suppport customers with that task, report RSFILENA hasbeen enhanced in order to spot logical file names that are notconfigured to use the implemented validation mechanism.
The central mechanism is used in application code updated by the referencednotes. All of these notes describe changes to applications, where
a) Physical file names can entered without sufficient validation.
b) Logical file names can be selected without sufficient validation.
c) a) or b) in code or functionality that SAP considers obsolete andthat is therefore removed or disabled as otherwise customers wouldhave to configure obsolete validations as well.
Implementation
1. Please update your kernel at least to the patchlevel indicated in theSP Patch Level section of this note. Please note that the kernel patchpackage referenced in the SP Patch Level section is the "disp+workpackage". This kernel patch level was released in December 2010 and isdefinitely available for all releases.
Note: the corrections below do not have a hard dependency on thekernel change and therefore can be implemented before updating thekernel. However in order to avoid inconsistent runtime checking,SAP recommends to update the kernel as soon as possible and nolater than starting the configuration process.
2. Please implement support packages as indicated in the support packagesection of this note and the notes referencing it. Alternativeley youcan apply the respective correction instructions. As quite a number ofobjects were added, a transport is being made available that containsall new objects of this note (logical file name functionality). For
28.02.2013 Page 3 of 40
SAP Note 1497003 - Potential directory traversals inapplications
releases 640 and below, another transport containing the modifiedobjects is available as well, plus a transport containing reportRSFILECR.
Note: when importing the transports be sure to have versioningturned on. You may have to use unconditional mode to ensure anyother corrections or modifications are not blocking the import. Besure to check the transport results and follow up on conflicts ifany.
3. The logical file name and file path definitions of applications arealso delivered via report RSFILECR that needs to be executed onceafter implementation of the correction instructions.
The report also changes the fixed values of domain FILEFORMAT.Depending on your release and support package level you might get acorresponding message or you might have to register the object forchanges before the fixed values can be changed.
4. The correction instructions in this note do not fix any of thesevulnerabilities but instead provide standard functionality andinstructions to address this kind of vulnerability in applications.You need to implement the referenced notes as well and follow theconfiguration instructions below in order to secure the applications.
Please refer to related notes for applications affected andadopting this solution. SAP recommends to implement (and thenconfigure) all notes of all software components installed in therespective system, irrespective of whether the application is used,as otherwise - depending on your authorization implementation -vulnerabilities in unused application might be exploited by amalicious user.
5. You should also check whether your own coding contains similarvulnerabilities. Please refer to the attached secure programming guideon logical file names (SecureProgramming_LogFileNames.pdf). Startingwith NetWeaver release 7.00 you can use the report RS_ABAP_SOURCE_SCANto search for any OPEN DATASET statements in applications belonging toyour own namespaces (Y*, Z*, maybe others you registered).
Configuration
1. If authorization object S_DATASET is used (i.e. it contains real filesystem paths, not only *), these paths must be normalized inaccordance with 1. above.
2. If customizing table SPTH contains any path entries, they must benormalized as well. As customizing table SPTH cannot distinguishbetween different operating systems, all paths for all applicationservers have to be maintained in their normalized form.
28.02.2013 Page 4 of 40
SAP Note 1497003 - Potential directory traversals inapplications
3. If customizing table SPTH contains any entries in the fields FS_NOREADor FS_NOWRITE make sure that these entries are really intended. Beespecially careful with an entry PATH=*, FS_NOREAD=X,FS_NOWRITE=X as it disallows any access to the file system exceptfor paths explicitly maintained in SPTH. Also Path PATH=*,FS_NOREAD=X, FS_NOWRITE=' ' has the same effect as PATH=*,FS_NOREAD=X, FS_NOWRITE=X.
4. Implementing the support package or corrections does not enable thevalidation features. Administrators will have to configure the logicalpaths of logical file names accordingly. Please refer to the attacheddocumentation on logical file names for instructions how to useconfiguration tools.
Whether you enforce path validation immediatly or use a grace period maydepend on whether you had instructions to use specific physical paths inplace previously and also on the confidentiality level of files stored onthe application server. In order to support administrators with the task ofidentifying file locations in use, the security audit log can be configuredto log any validation that is not performed due to unconfigured paths ormissing aliases, as well as any validation that fails due to the file namebeing outside the defined paths. If you use this feature, you shouldregularly check the security audit log for any file name not configured andalso help users migrate to a valid path. Please note that activating filename validation will also affect previously scheduled jobs for thecorresponding programs. Once you activate file name validation you shouldmonitor job results closely in order to avoid disruptions.Documentation of the security audit log is attached as a PDF to this note.
In releases 31I to 46C the system log is used instead of thesecurity audit log.
In case business users are supposed to specify file names in different filepaths in the application server file system, SAP recommends that you defineadditional logical file names in customer name space Y* or Z*, pointing todifferent file paths in the application server file system, and define themas aliases of the SAP defined logical file name.Please note that aliases are checked in ascending alphabetical order. Ifthe user specifies a physical file name which does not match thespecifications of any of the aliases the user will be directed to specify aphysical file name according to the last alias.
ExampleProgram EXAMPLE_ACCESS_APPL_SERVER_FILE uses logical file nameEXAMPLE_FILE to validate user input. You defined EXAMPLE_FILE so theuser should specify a file name in directory /usr/SAP/tmp/test. You alsocreated logical file name ZTEST_FILE and defined it so the user shouldspecify a file name in directory /usr/SAP/work/test. You definedZTEST_FILE as an alias for EXAMPLE_FILE. If the user specifies a filename outside both of file paths you specified the user will notified that afile name in directory /usr/SAP/work/test must be specified.
SAP recommends to configure all logical paths delivered for file namevalidation. If you are not actively using all applications or integrationscenarios you should assign a physical path for which the application
28.02.2013 Page 5 of 40
SAP Note 1497003 - Potential directory traversals inapplications
server user used for file access is not authorized to each of thevalidation file names. Alternatively you can create a logical file nameusing such a physical path and assign this new logical file name as analias to all validation file names which should not be used in your system.
You can run report RSFILENA to check for any unconfigured logical filenames. This report is also available in the Implementation Guide (IMG) atSAP Customizing Implementation Guide >> SAP Netweaver >> Application Server>> Syste Administration >> Platform-Independent File Names >> Run Analysis
Troubleshooting
1. Incomplete implementation
Syntax errors like 'The type "CL_FS_PATH" is unknown' or runtimeerrors like CALL_FUNCTION_NOT_FOUND or CX_SY_DYN_CALL_ILLEGAL_FUNCindicate an incomplete implementation. Be sure to follow the manualsteps precisely or import the transports.
2. Incomplete configuration
The exceptions FILE_NOT_FOUND and LOGICAL_FILENAME_NOT_FOUND or themessages 001 and 807 of the message group SG indicate that thelogical file name used by the application does not exist in theconfiguration. Please execute report RSFILECR and use transactionFILE to create the logical file name. If the problem persists,please create the logical file name manually with transaction FILE.
3. Failing authorization checks (functionFILE_AUTHORITY_CHECK, statement OPEN DATASET,authorization check S_DATASET or S_PATH)
a) Please check whether the kernel has been updated and thecorrections have been applied. If the kernel and the corrections ofthe notes are inconsistent, it can be very difficult to debuginconsistent customizing and authorizations as only part of thesystem is performing normalization. E.g. an explicit call tofunction module AUTHORITY_CHECK_DATASET may grant access to acertain file while the actual call via statement OPEN DATASETdenies it or vice versa. There is no issue in case only normalizedpaths are used.
b) Please check contents of customizing table SPTH for any linecontaining * plus the flags FS_NOREAD or FS_NOWRITE set to 'X'. Incase such an entry exists, you will have to add all file systemlocations used, possibly using multiple system specific paths. As atemporary workaround you can delete all entries from customizingtable SPTH until reasons for the issues have been resolved.
c) Please check authorizations for authorization object S_DATASET forany missing directories. An entry of * grants access to all files.
4. Path normalization is active by default, but can be deactivated bysetting the profile parameter 'abap/path_normalization' to value
28.02.2013 Page 6 of 40
SAP Note 1497003 - Potential directory traversals inapplications
'off'. Please note that normalization is a prerequisite forvalidation. Please configure that profile parameter only when advisedby SAP development support.
------------------------------------------------------------------------|Manual Pre-Implement. |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_APPL SAP Application || Release 31I Until SAPKH31IB8 || Release 40B Until SAPKH40B88 || Release 45B Until SAPKH45B66 |------------------------------------------------------------------------
Please download the ZIP archive attached to this note corresponding to yourrelease (see table below), extract the transport files and import thetransport request(s) into your correction system.
Basis Release Relevant Archive(s)<= 46C Basis_46C_and_lower.zip & RSFILECR.zip>= 620 Basis_620_and_higher.zip
Note: Releases 620 and 640Depending on the level of your basis support package you will have tocreate the function module RSAU_WRITE_FILE_AUDIT_LOG as described below.
Also, you need to create the program RSFILECR using transaction SE38.Please specify the following attributes when creating the program:Attribute ValueTitle RSFILECRPackage / Development Class SFIL
Release Independent InformationThe transport requests only contain part of the objects which need to bechanged for this security correction. Even if you import the transportrequest you still need to apply the correction instructions.
If you have decided to import the transport request as suggested you do notneed to read through the following instructions (exceptions for releases620 and 640 see above table).
Alternative: Manual StepsIt is recommended that you import the transport file as described above.This highly reduces the potential for copy & paste errors or other errorswhen manually applying the necessary changes. Also, the transport filescontain long texts as well as translations of translation relevant objects.
If you are sure that you cannot import the attached transport request youhave to perform the following manual steps. Please note that depending onyour basis release and support package you will have to create additionalobjects (like programs, function modules, etc.) manually before being able
28.02.2013 Page 7 of 40
SAP Note 1497003 - Potential directory traversals inapplications
to implement the corrections automatically via SNOTE.
If you decide to implement the corrections manually you need to implementthe correction instructions according to note 1543851 via SNOTE as wellsince they contain the changes to the individual objects which have to becorrected.However, since the correction instructions of note 1497003 are marked asprerequisite for the corresponding security notes of the individualapplication components you still need to execute SNOTE for note 1497003.When you execute SNOTE for note 1497003 be sure to remove the checkboxesfor all objects before continuing. The system will then request that youconfirm that the note has been completely implemented anyway. You have toconfirm this. Otherwise you will not be able to apply the correctioninstructions for the application components' security notes.If you do not remove the checkboxes while applying the correctioninstructions for note 1497003 in this scenario it is possible that(depending on your release and support package level) some corrections willbe applied twice resulting in syntax errors in central function groupsalmost making it impossible to perform any activities in the system.
Add Fixed Value for Domain FILEFORMATFixed value Short textDIR Check directory for file name validationActivate the changes.
Create New Data Element FILE_ALIASAttribute ValueShort Text Alias for a Logical File NameDomain Name FILEINTERNShort Text AliasMedium Text Alias Logical FileLong Text Alias for a Logical File NameHeader Alias for a Logical File NameActivate the changes.
Create New Data Element FILE_LAPPLAttribute ValueShort Text Logical File Name of the ApplicationDomain Name FILEINTERNShort Text FileMedium Text Application: FileLong Text Application: Logical File NameHeader Logical File Name of the ApplicationActivate the changes.
Create New Structure FILE_TS_FI
1. General PropertiesAttribute ValueShort text Logical File Names
2. Field ListField Data ElementFILENAME FILEINTERN
28.02.2013 Page 8 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Activate the changes.
Create New Database Table FILEA31I
3. General PropertiesAttribute ValueShort Text Aliases for Validation of Logical File NamesDelivery ClassGTab.Maint.Allowed Checked
4. Field ListField Key Data ElementRCLNT X MANDTLOGFILE_AP X FILE_LAPPLSEQNR X SEQNRLOGFILE_AL FILE_ALIAS
5. Foreign KeysDefine foreign key relationship for the following fields:
- LOGFILE_AP
- LOGFILE_AL
a) Accept proposed check table and fields.
b) Activate the changes.
Create New View Maintenance
6. Create DDIC view V_FILEA31I:
a) Start transaction SE54.
b) Specify Table/View V_FILEA31I.
c) Select option ABAP Dictionary.
d) Choose function Create/change.Attribute ValueType ViewDevelopment Class SFILShort Text Aliases for Validation of File NamesTable FILEA31I
e) View FieldsView field Table Field nameRCLNT FILEA31I RCLNTLOGFILE_AP FILEA31I LOGFILE_APSEQNR FILEA31I SEQNRLOGFILE_AL FILEA31I LOGFILE_AL
f) Active the changes.
28.02.2013 Page 9 of 40
SAP Note 1497003 - Potential directory traversals inapplications
7. Generate Objects
a) Start transaction SE54.
b) Specify Table/View V_FILEA31I.
c) Select option Generated Objects.
d) Choose function Create/change.Attribute ValueFunction Group1SFNAuthorization Group SCMaintenance Type one stepOverview screen 100
e) Choose function Create.
f) Follow the dialog to create the view maintenance objects.
Create New Messages
8. Start transaction SE91.
9. Specify message class SG.
10. Choose option Messages.
11. Choose function Change.
12. Create the following messages. Please note that due to formattingreasons spaces were added within the quoatation marks for theplaceholders (&1, &2, &3, &4). Please remove these spaces in yoursystem.
Number Short Text805 File '&1 &2 ' is not in the directory area '&3 &4 '.806 File name '&1 &2 ' is not permitted; a permissible file name is '&3 &4'.807 Logical file name '&1' does not exist808 Specify a file name in '&1 &2 '809 Logical file name '&1' not allowed
13. Save the changes.
Create New System Log Messages
14. Start transaction SE92.
15. Create the following messages:System log no.Short textCU Q Logical file name &A not configured. Physical file name &B cannot bevalidatedCU R Physical file name &B does not meet requirements set by logical filename &ACU S Logical file name &B is not a valid alias for logical file name &ACU T No validation active for logical file name &A
28.02.2013 Page 10 of 40
SAP Note 1497003 - Potential directory traversals inapplications
16. Save the changes.
Create New Function Modules
17. FILE_GET_LOGFILE_ALIAS
a) Go to transaction SE37.
b) Specify function module FILE_GET_LOGFILE_ALIAS.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_GET_LOGFILE_ALIASFunction groupSFILShort text FILE_GET_LOGFILE_ALIAS
e) Create the following import parameters:Import parameter Reference field Proposal OptionalED_LOGFILE_APPL FILENAMECI-FILEINTERNED_CLIENT SY-MANDT SY-MANDT X
f) Create the following table parameters:Table parameters Reference structure OptionalCTS_ALIAS FILE_TS_FI X
g) Save the changes.
18. FILE_LOGFILE_ALIAS_F4
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_F4.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_F4Function groupSFILShort text FILE_LOGFILE_ALIAS_F4
e) Create the following import parameters:Import parameter Reference field Proposal OptionalED_LOGFILE_APPL FILENAME-FILEINTERNED_PARAMETER_NAME XED_PROGRAM_NAME SY-REPID SY-CPROG XED_SCREEN_NUMBER SY-DYNNR SY-DYNNR X
f) Create the following changing parameters:CHANGING parameter Reference fieldCD_LOGICAL_FILE FILENAME-FILEINTERN
g) Save the changes.
28.02.2013 Page 11 of 40
SAP Note 1497003 - Potential directory traversals inapplications
19. FILE_LOGFILE_ALIAS_PAI
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PAI.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PAIFunction groupSFILShort text FILE_LOGFILE_ALIAS_PAI
e) Create the following import parameters:Import parameter Reference field Proposal OptionalED_LOGFILE_APPL FILENAMECI-FILEINTERN
f) Create the following changing parameters:CHANGING parameter Reference structureCD_LOGICAL_FILE FILENAMECI-FILEINTERN
g) Create the following exceptions:ExceptionEXC_INVALID_FILENAMEEXC_VALIDATION_ERROR
h) Save the changes.
20. FILE_LOGFILE_ALIAS_PBO
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PBO.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PBOFunction groupSFILShort text FILE_LOGFILE_ALIAS_PBO
e) Create the following import parameters:Import parameter Reference field Proposal OptionalED_LOGFILE_APPL FILENAMECI-FILEINTERNED_PARAMETER_NAME X
f) Create the following changing parameters:CHANGING parameter Reference structureCD_LOGFILE_PARAM FILENAMECI-FILEINTERN
g) Save the changes.
28.02.2013 Page 12 of 40
SAP Note 1497003 - Potential directory traversals inapplications
21. FILE_VALIDATE_NAME
a) Go to transaction SE37.
b) Specify function module FILE_VALIDATE_NAME.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_VALIDATE_NAMEFunction groupSFILShort text FILE_VALIDATE_NAME
e) Create the following import parameters:Import parameter Reference field Proposal Optional ReferenceCLIENT SY-MANDT SY-MANDT X XLOGICAL_FILENAME FILENAME-FILEINTERN XOPERATING_SYSTEM SY-OPSYS SY-OPSYS X XPARAMETER_1 X XPARAMETER_2 X XPARAMETER_3 X XWITH_FILE_EXTENSION SY-DATAR X XUSE_BUFFER SY-DATAR X XELIMINATE_BLANKS SY-DATAR X X
f) Create the following export parameters:Export parameters ReferenceVALIDATION_ACTIVE X
g) Create the following changing parameters:CHANGING parameterPHYSICAL_FILENAME
h) Create the following table parameters:Table parameters Reference structure OptionalTS_ALIAS FILE_TS_FI X
i) Create the following exceptions:ExceptionLOGICAL_FILENAME_NOT_FOUNDVALIDATION_FAILED
j) Save the changes.
22. RSAU_WRITE_FILE_AUDIT_LOG
a) Go to transaction SE37.
b) Specify function module RSAU_WRITE_FILE_AUDIT_LOG.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name RSAU_WRITE_FILE_AUDIT_LOG
28.02.2013 Page 13 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Function groupSECUShort text RSAU_WRITE_FILE_AUDIT_LOG
e) Create the following import parameters:Import parameter Reference typeIV_LOGICAL_FILE_PROBLEM IIV_PARAM_1IV_PARAM_2
f) Create the following exceptions:ExceptionPARAMETER_ERROR
g) Save the changes.
Create New Includes
23. LSFILF03
a) Go to transaction SE38.
b) Specify program LSFILF03.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueTitle LSFILF03Type Include program
e) Save the changes.
------------------------------------------------------------------------|Manual Pre-Implement. |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_BASIS SAP Basis compo...|| Release 620 Until SAPKB62069 || Release 640 Until SAPKB64027 || Release 700 Until SAPKB70023 || Release 710 Until SAPKB71011 || Release 711 Until SAPKB71106 || Release 701 Until SAPKB70108 || Release 702 Until SAPKB70206 || Release 730 Until SAPKB73001 || Release 720 Until SAPKB72004 |------------------------------------------------------------------------
Please download the ZIP archive attached to this note corresponding to yourrelease (see table below), extract the transport files and import thetransport request(s) into your correction system.
Basis Release Relevant Archive(s)<= 46C Basis_46C_and_lower.zip & RSFILECR.zip>= 620 Basis_620_and_higher.zip
28.02.2013 Page 14 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Note: Releases 620 and 640Depending on the level of your basis support package you will have tocreate the function module RSAU_WRITE_FILE_AUDIT_LOG as described below.
Also, you need to create the program RSFILECR using transaction SE38.Please specify the following attributes when creating the program:Attribute ValueTitle RSFILECRPackage / Development Class SFIL
Release Independent InformationThe transport requests only contain part of the objects which need to bechanged for this security correction. Even if you import the transportrequest you still need to apply the correction instructions.
If you have decided to import the transport request as suggested you do notneed to read through the following instructions (exceptions for releases620 and 640 see above table).
Alternative: Manual StepsIt is recommended that you import the transport file as described above.This highly reduces the potential for copy & paste errors or other errorswhen manually applying the necessary changes. Also, the transport filescontain long texts as well as translations of translation relevant objects.
If you are sure that you cannot import the attached transport request youhave to perform the following manual steps. Please note that depending onyour basis release and support package you will have to create additionalobjects (like programs, function modules, etc.) manually before being ableto implement the corrections automatically via SNOTE.
If you decide to implement the corrections manually you need to implementthe correction instructions according to note 1543851 via SNOTE as wellsince they contain the changes to the individual objects which have to becorrected.However, since the correction instructions of note 1497003 are marked asprerequisite for the corresponding security notes of the individualapplication components you still need to execute SNOTE for note 1497003.When you execute SNOTE for note 1497003 be sure to remove the checkboxesfor all objects before continuing. The system will then request that youconfirm that the note has been completely implemented anyway. You have toconfirm this. Otherwise you will not be able to apply the correctioninstructions for the application components' security notes.If you do not remove the checkboxes while applying the correctioninstructions for note 1497003 in this scenario it is possible that(depending on your release and support package level) some corrections willbe applied twice resulting in syntax errors in central function groupsalmost making it impossible to perform any activities in the system.
Add Fixed Value for Domain FILEFORMATFixed value Short textDIR Check directory for file name validationActivate the changes.
28.02.2013 Page 15 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Create New Data Element FILE_ALIASAttribute ValueShort Text Alias for a Logical File NameDomain Name FILEINTERNShort Text AliasMedium Text Alias Logical FileLong Text Alias for a Logical File NameHeader Alias for a Logical File NameActivate the changes.
Create New Data Element SEQNR_NUMC3Attribute ValueShort Text Alias for a Logical File NameDomain Name NUMC3Short Text SeqNrMedium Text Sequential NumberLong Text Sequential NumberHeader Sequential NumberActivate the changes.
Create New Data Element FILE_LAPPLAttribute ValueShort Text Logical File Name of the ApplicationDomain Name FILEINTERNShort Text FileMedium Text Application: FileLong Text Application: Logical File NameHeader Logical File Name of the ApplicationActivate the changes.
Create New Table Type Structure FILE_TS_FILEINTERN
1. General PropertiesAttribute ValueShort text Logical File NamesLine type FILEINTERNAccess Sorted TableKey Standard, Non-UniqueActivate the changes.
Create New Database Table FILEALIAS
2. General PropertiesAttribute ValueShort Text Aliases for Validation of Logical File NamesDelivery ClassGTab.Maint.Allowed Checked
3. Field ListField Key Data ElementRCLNT X MANDTLOGFILE_APPL X FILE_LAPPL
28.02.2013 Page 16 of 40
SAP Note 1497003 - Potential directory traversals inapplications
SEQNR X SEQNR_NUMC3LOGFILE_ALIAS FILE_ALIAS
4. Foreign KeysDefine foreign key relationship for the following fields:
- LOGFILE_APPL
- LOGFILE_ALIAS
a) Accept proposed check table and fields.
b) Activate the changes.
Create New View Maintenance
5. Create DDIC view V_FILEALIA:
a) Start transaction SE54.
b) Specify Table/View V_FILEALIA.
c) Select option ABAP Dictionary.
d) Choose function Create/change.Attribute ValueType ViewDevelopment Class SFILShort Text Aliases for Validation of File NamesTable FILEALIAS
e) View FieldsView field Table Field nameRCLNT FILEALIAS RCLNTLOGFILE_APPL FILEALIAS LOGFILE_APPLSEQNR FILEALIAS SEQNRLOGFILE_ALIAS FILEALIAS LOGFILE_ALIAS
f) Activate the changes.
6. Generate Objects
a) Start transaction SE54.
b) Specify Table/View V_FILEALIA.
c) Select option Generated Objects.
d) Choose function Create/change.Attribute ValueFunction Group1SFNAuthorization Group SCMaintenance Type one stepOverview screen 100
e) Choose function Create.
28.02.2013 Page 17 of 40
SAP Note 1497003 - Potential directory traversals inapplications
f) Follow the dialog to create the view maintenance objects.
Create New Messages
7. Start transaction SE91.
8. Specify message class SG.
9. Choose option Messages.
10. Choose function Change.
11. Create the following messages. Please note that due to formattingreasons spaces were added within the quoatation marks for theplaceholders (&1, &2, &3, &4). Please remove these spaces in yoursystem.
Number Short Text805 File '&1 &2 ' is not in the directory area '&3 &4 '.806 File name '&1 &2 ' is not permitted; a permissible file name is '&3 &4'.807 Logical file name '&1' does not exist808 Specify a file name in '&1 &2 '809 Logical file name '&1' not allowed
12. Save the changes.
Create New System Log Messages
13. Start transaction SE92.
14. Create the following messages:System log no.Short textCU Q Logical file name &A not configured. Physical file name &B cannot bevalidatedCU R Physical file name &B does not meet requirements set by logical filename &ACU S Logical file name &B is not a valid alias for logical file name &ACU T No validation active for logical file name &A
15. Save the changes.
Create New Function Modules
16. FILE_GET_LOGFILE_ALIAS
a) Go to transaction SE37.
b) Specify function module FILE_GET_LOGFILE_ALIAS.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_GET_LOGFILE_ALIAS
28.02.2013 Page 18 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Function groupSFILShort text FILE_GET_LOGFILE_ALIAS
e) Create the following import parameters:Import parameter Typing Associated Type Default Value Optional PassvalueED_LOGFILE_APPL TYPE FILEINTERN XED_CLIENT TYPE MANDT SY-MANDT X X
f) Create the following table parameters:Changing parameters Typing Associated TypeCTS_ALIAS TYPE FILE_TS_FILEINTERN
g) Save the changes.
17. FILE_LOGFILE_ALIAS_F4
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_F4.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_F4Function groupSFILShort text FILE_LOGFILE_ALIAS_F4
e) Create the following import parameters:Import parameter Typing Associated Type Default Value Optional PassvalueED_LOGFILE_APPL TYPE FILEINTERN XED_PARAMETER_NAME TYPE FIELDNAME X XED_PROGRAM_NAME TYPE SYREPID SY-CPROG X XED_SCREEN_NUMBER TYPE SYDYNNR SY-DYNNR X X
f) Create the following changing parameters:CHANGING parameter Typing Associated TypeCD_LOGICAL_FILE TYPE FILEINTERN
g) Save the changes.
18. FILE_LOGFILE_ALIAS_PAI
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PAI.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PAIFunction groupSFILShort text FILE_LOGFILE_ALIAS_PAI
28.02.2013 Page 19 of 40
SAP Note 1497003 - Potential directory traversals inapplications
e) Create the following import parameters:Import parameter Typing Associated Type Default Value Optional PassvalueED_LOGFILE_APPL TYPE FILEINTERN
f) Create the following changing parameters:CHANGING parameter Typing AssociatedCD_LOGICAL_FILE TYPE FILEINTERN
g) Create the following exceptions:ExceptionEXC_INVALID_FILENAMEEXC_VALIDATION_ERROR
h) Save the changes.
19. FILE_LOGFILE_ALIAS_PBO
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PBO.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PBOFunction groupSFILShort text FILE_LOGFILE_ALIAS_PBO
e) Create the following import parameters:Import parameter Typing Associated Type Default Value Optional PassvalueED_LOGFILE_APPL TYPE FILEINTERN XED_PARAMETER_NAME TYPE FIELDNAME X X
f) Create the following changing parameters:CHANGING parameter Typing Associated TypeCD_LOGFILE_PARAM TYPE FILEINTERN X
g) Save the changes.
20. FILE_VALIDATE_NAME
a) Go to transaction SE37.
b) Specify function module FILE_VALIDATE_NAME.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_VALIDATE_NAMEFunction groupSFILShort text FILE_VALIDATE_NAME
28.02.2013 Page 20 of 40
SAP Note 1497003 - Potential directory traversals inapplications
e) Create the following import parameters:Import parameter Type spec. Reference field Proposal Optional PassValueCLIENT LIKE SY-MANDT SY-MANDT X XLOGICAL_FILENAME LIKE FILENAME-FILEINTERN XOPERATING_SYSTEM LIKE SY-OPSYS SY-OPSYS X XPARAMETER_1 X XPARAMETER_2 X XPARAMETER_3 X XWITH_FILE_EXTENSION X XUSE_BUFFER X XELIMINATE_BLANKS LIKE SY-DATAR X X
f) Create the following export parameters:Export parameters Typing Associated TypeVALIDATION_ACTIVE TYPE BOOLE_DTS_ALIAS TYPE FILE_TS_FILEINTERN
g) Create the following changing parameters:CHANGING parameter Typing Associated TypePHYSICAL_FILENAME TYPE CLIKE
h) Create the following exceptions:ExceptionLOGICAL_FILENAME_NOT_FOUNDVALIDATION_FAILED
i) Save the changes.
21. RSAU_WRITE_FILE_AUDIT_LOG
a) Go to transaction SE37.
b) Specify function module RSAU_WRITE_FILE_AUDIT_LOG.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name RSAU_WRITE_FILE_AUDIT_LOGFunction groupSECUShort text RSAU_WRITE_FILE_AUDIT_LOG
e) Create the following import parameters:Import parameter Typing Associated TypeIV_LOGICAL_FILE_PROBLEM TYPE IIV_PARAM_1 TYPE CLIKEIV_PARAM_2 TYPE CLIKE
f) Create the following exceptions:ExceptionPARAMETER_ERROR
g) Save the changes.
28.02.2013 Page 21 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Create New Includes
22. LSFILF03
a) Go to transaction SE38.
b) Specify program LSFILF03.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueTitle LSFILF03Type Include program
e) Save the changes.
------------------------------------------------------------------------|Manual Pre-Implement. |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_BASIS SAP Basis compo...|| Release 46C Until SAPKB46C61 || Release 46B Until SAPKB46B61 |------------------------------------------------------------------------
Please download the ZIP archive attached to this note corresponding to yourrelease (see table below), extract the transport files and import thetransport request(s) into your correction system.
Basis Release Relevant Archive(s)<= 46C Basis_46C_and_lower.zip & RSFILECR.zip>= 620 - 640 Basis_620_and_higher.zip
Note: Releases 620 and 640Depending on the level of your basis support package you will have tocreate the function module RSAU_WRITE_FILE_AUDIT_LOG as described below.
Also, you need to create the program RSFILECR using transaction SE38.Please specify the following attributes when creating the program:Attribute ValueTitle RSFILECRPackage / Development Class SFIL
Release Independent InformationThe transport requests only contain part of the objects which need to bechanged for this security correction. Even if you import the transportrequest you still need to apply the correction instructions.
If you have decided to import the transport request as suggested you do notneed to read through the following instructions (exceptions for releases620 and 640 see above table).
28.02.2013 Page 22 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Alternative: Manual StepsIt is recommended that you import the transport file as described above.This highly reduces the potential for copy & paste errors or other errorswhen manually applying the necessary changes. Also, the transport filescontain long texts as well as translations of translation relevant objects.
If you decide to implement the corrections manually you need to implementthe correction instructions according to note 1543851 via SNOTE as wellsince they contain the changes to the individual objects which have to becorrected.However, since the correction instructions of note 1497003 are marked asprerequisite for the corresponding security notes of the individualapplication components you still need to execute SNOTE for note 1497003.When you execute SNOTE for note 1497003 be sure to remove the checkboxesfor all objects before continuing. The system will then request that youconfirm that the note has been completely implemented anyway. You have toconfirm this. Otherwise you will not be able to apply the correctioninstructions for the application components' security notes.If you do not remove the checkboxes while applying the correctioninstructions for note 1497003 in this scenario it is possible that(depending on your release and support package level) some corrections willbe applied twice resulting in syntax errors in central function groupsalmost making it impossible to perform any activities in the system.
If you are sure that you cannot import the attached transport request youhave to perform the following manual steps. Please note that depending onyour basis release and support package you will have to create additionalobjects (like programs, function modules, etc.) manually before being ableto implement the corrections automatically via SNOTE.
Add Fixed Value for Domain FILEFORMATFixed value Short textDIR Check directory for file name validationActivate the changes.
Create New Data Element FILE_ALIASAttribute ValueShort Text Alias for a Logical File NameDomain Name FILEINTERNShort Text AliasMedium Text Alias Logical FileLong Text Alias for a Logical File NameHeader Alias for a Logical File NameActivate the changes.
Create New Data Element FILE_LAPPLAttribute ValueShort Text Logical File Name of the ApplicationDomain Name FILEINTERNShort Text FileMedium Text Application: FileLong Text Application: Logical File NameHeader Logical File Name of the ApplicationActivate the changes.
28.02.2013 Page 23 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Create New Structure FILE_TS_FI
1. General PropertiesAttribute ValueShort text Logical File Names
2. Field ListField Data ElementFILENAME FILEINTERNActivate the changes.
Create New Database Table FILEA31I
3. General PropertiesAttribute ValueShort Text Aliases for Validation of Logical File NamesDelivery ClassGTab.Maint.Allowed Checked
4. Field ListField Key Data ElementRCLNT X MANDTLOGFILE_AP X FILE_LAPPLSEQNR X SEQNRLOGFILE_AL FILE_ALIAS
5. Foreign KeysDefine foreign key relationship for the following fields:
- LOGFILE_AP
- LOGFILE_AL
a) Accept proposed check table and fields.
b) Activate the changes.
Create New View Maintenance
6. Create DDIC view V_FILEA31I:
a) Start transaction SE54.
b) Specify Table/View V_FILEA31I.
c) Select option ABAP Dictionary.
d) Choose function Create/change.Attribute ValueType ViewDevelopment Class SFILShort Text Aliases for Validation of File Names
28.02.2013 Page 24 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Table FILEA31I
e) View FieldsView field Table Field nameRCLNT FILEA31I RCLNTLOGFILE_AP FILEA31I LOGFILE_APSEQNR FILEA31I SEQNRLOGFILE_AL FILEA31I LOGFILE_AL
f) Active the changes.
7. Generate Objects
a) Start transaction SE54.
b) Specify Table/View V_FILEA31I.
c) Select option Generated Objects.
d) Choose function Create/change.Attribute ValueFunction Group1SFNAuthorization Group SCMaintenance Type one stepOverview screen 100
e) Choose function Create.
f) Follow the dialog to create the view maintenance objects.
Create New Messages
8. Start transaction SE91.
9. Specify message class SG.
10. Choose option Messages.
11. Choose function Change.
12. Create the following messages. Please note that due to formattingreasons spaces were added within the quoatation marks for theplaceholders (&1, &2, &3, &4). Please remove these spaces in yoursystem.
Number Short Text805 File '&1 &2 ' is not in the directory area '&3 &4 '.806 File name '&1 &2 ' is not permitted; a permissible file name is '&3 &4'.807 Logical file name '&1' does not exist808 Specify a file name in '&1 &2 '809 Logical file name '&1' not allowed
13. Save the changes.
Create New System Log Messages
28.02.2013 Page 25 of 40
SAP Note 1497003 - Potential directory traversals inapplications
14. Start transaction SE92.
15. Create the following messages:System log no.Short textCU Q Logical file name &A not configured. Physical file name &B cannot bevalidatedCU R Physical file name &B does not meet requirements set by logical filename &ACU S Logical file name &B is not a valid alias for logical file name &ACU T No validation active for logical file name &A
16. Save the changes.
Create New Function Modules
17. FILE_GET_LOGFILE_ALIAS
a) Go to transaction SE37.
b) Specify function module FILE_GET_LOGFILE_ALIAS.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_GET_LOGFILE_ALIASFunction groupSFILShort text FILE_GET_LOGFILE_ALIAS
e) Create the following import parameters:Import parameter Type spec. Reference field Proposal OptionalED_LOGFILE_APPL LIKE FILENAMECI-FILEINTERNED_CLIENT LIKE SY-MANDT SY-MANDT X
f) Create the following table parameters:Table parameters Type spec. Reference structure OptionalCTS_ALIAS LIKE FILE_TS_FI X
g) Save the changes.
18. FILE_LOGFILE_ALIAS_F4
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_F4.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_F4Function groupSFILShort text FILE_LOGFILE_ALIAS_F4
e) Create the following import parameters:
28.02.2013 Page 26 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Import parameter Type spec. Reference field Proposal OptionalED_LOGFILE_APPL LIKE FILENAME-FILEINTERNED_PARAMETER_NAME LIKE XED_PROGRAM_NAME LIKE SY-REPID SY-CPROG XED_SCREEN_NUMBER LIKE SY-DYNNR SY-DYNNR X
f) Create the following changing parameters:CHANGING parameter Type spec. Reference fieldCD_LOGICAL_FILE LIKE FILENAME-FILEINTERN
g) Save the changes.
19. FILE_LOGFILE_ALIAS_PAI
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PAI.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PAIFunction groupSFILShort text FILE_LOGFILE_ALIAS_PAI
e) Create the following import parameters:Import parameter Type spec. Reference field Proposal OptionalED_LOGFILE_APPL LIKE FILENAMECI-FILEINTERN
f) Create the following changing parameters:CHANGING parameter Type spec. Reference structureCD_LOGICAL_FILE LIKE FILENAMECI-FILEINTERN
g) Create the following exceptions:ExceptionEXC_INVALID_FILENAMEEXC_VALIDATION_ERROR
h) Save the changes.
20. FILE_LOGFILE_ALIAS_PBO
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PBO.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PBOFunction groupSFILShort text FILE_LOGFILE_ALIAS_PBO
e) Create the following import parameters:
28.02.2013 Page 27 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Import parameter Type spec. Reference field Proposal OptionalED_LOGFILE_APPL LIKE FILENAMECI-FILEINTERNED_PARAMETER_NAME LIKE X
f) Create the following changing parameters:CHANGING parameter Type spec. Reference structureCD_LOGFILE_PARAM LIKE FILENAMECI-FILEINTERN
g) Save the changes.
21. FILE_VALIDATE_NAME
a) Go to transaction SE37.
b) Specify function module FILE_VALIDATE_NAME.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_VALIDATE_NAMEFunction groupSFILShort text FILE_VALIDATE_NAME
e) Create the following import parameters:Import parameter Type spec. Reference field Proposal Optional PassValueCLIENT LIKE SY-MANDT SY-MANDT X XLOGICAL_FILENAME LIKE FILENAME-FILEINTERN XOPERATING_SYSTEM LIKE SY-OPSYS SY-OPSYS X XPARAMETER_1 X XPARAMETER_2 X XPARAMETER_3 X XWITH_FILE_EXTENSION X XUSE_BUFFER X XELIMINATE_BLANKS LIKE SY-DATAR X X
f) Create the following export parameters:Export parameters ReferenceVALIDATION_ACTIVE X
g) Create the following changing parameters:CHANGING parameter Type spec. Reference typePHYSICAL_FILENAME TYPE C
h) Create the following table parameters:Table parameters Reference structure OptionalTS_ALIAS FILE_TS_FI X
i) Create the following exceptions:ExceptionLOGICAL_FILENAME_NOT_FOUNDVALIDATION_FAILED
j) Save the changes.
28.02.2013 Page 28 of 40
SAP Note 1497003 - Potential directory traversals inapplications
22. RSAU_WRITE_FILE_AUDIT_LOG
a) Go to transaction SE37.
b) Specify function module RSAU_WRITE_FILE_AUDIT_LOG.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name RSAU_WRITE_FILE_AUDIT_LOGFunction groupSECUShort text RSAU_WRITE_FILE_AUDIT_LOG
e) Create the following import parameters:Import parameter Reference typePass valueIV_LOGICAL_FILE_PROBLEM I XIV_PARAM_1 XIV_PARAM_2 X
f) Create the following exceptions:ExceptionPARAMETER_ERROR
g) Save the changes.
Create New Includes
23. LSFILF03
a) Go to transaction SE38.
b) Specify program LSFILF03.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueTitle LSFILF03Type Include program
e) Save the changes.
------------------------------------------------------------------------|Manual Activity |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_APPL SAP Application || Release 31I Until SAPKH31IB8 || Release 40B Until SAPKH40B88 || Release 45B Until SAPKH45B66 |------------------------------------------------------------------------
After implementation of the correction instructions please use SA38 to runreport RSFILECR. RSFILECR will modify domain FILEFORMAT and generate
28.02.2013 Page 29 of 40
SAP Note 1497003 - Potential directory traversals inapplications
logical file names and paths according to the software components installedin your system. The program will request a transport request for thesechanges. You should use the same transport request that you used forimplementing the correction instructions.
Afterwards include the object list of the transport you imported in themanual pre-implementation step into this transport request.
This will result in all changes necessary for this note being contained inone single transport request which you can transport throughout the systemswhich should receive corrections from the correction system where youapplied the changes.
How to include the object list
o Start transaction SE09.
o Choose menu path Request/Task >> Display Individually (F5).
o Specify the transport request you used for implementation of theSNOTE correction instructions.
o Choose function Copy (Enter).
o Position the cursor on the transport request ID.
o Choose menu path Request/Task >> Object List >> IncludeObjects...
o Select option Object list from request and specify thetransport request ID of the transport request you imported duringthe manual pre-implementation step.
o Choose function Copy (Enter).
Additional activitiesAs described in the main text of the note you should either configure thelogical file names and paths created by RSFILECR or activate the systemlog.
------------------------------------------------------------------------|Manual Activity |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_BASIS SAP Basis compo...|| Release 46C Until SAPKB46C61 || Release 46B Until SAPKB46B61 || Release 620 Until SAPKB62069 || Release 640 Until SAPKB64027 || Release 700 Until SAPKB70023 || Release 710 Until SAPKB71011 || Release 711 Until SAPKB71106 || Release 701 Until SAPKB70108 || Release 702 Until SAPKB70206 || Release 730 Until SAPKB73001 |
28.02.2013 Page 30 of 40
SAP Note 1497003 - Potential directory traversals inapplications
| Release 720 Until SAPKB72004 |------------------------------------------------------------------------
After implementation of the correction instructions please use SA38 to runreport RSFILECR. RSFILECR will modify domain FILEFORMAT and generatelogical file names and paths according to the software components installedin your system. The program will request a transport request for thesechanges. You should use the same transport request that you used forimplementing the correction instructions.
Afterwards include the object list of the transport you imported in themanual pre-implementation step into this transport request.
This will result in all changes necessary for this note being contained inone single transport request which you can transport throughout the systemswhich should receive corrections from the correction system where youapplied the changes.
How to include the object list
o Start transaction SE09.
o Choose menu path Request/Task >> Display Individually (F5).
o Specify the transport request you used for implementation of theSNOTE correction instructions.
o Choose function Copy (Enter).
o Position the cursor on the transport request ID.
o Choose menu path Request/Task >> Object List >> IncludeObjects...
o Select option Object list from request and specify thetransport request ID of the transport request you imported duringthe manual pre-implementation step.
o Choose function Copy (Enter).
Additional activitiesAs described in the main text of the note you should either configure thelogical file names and paths created by RSFILECR or activate the securityaudit log.
Header Data
Release Status: Released for CustomerReleased on: 02.02.2011 13:14:24Master Language: EnglishPriority: Correction with high priorityCategory: Program errorPrimary Component: BC-CCM-FIL Platform independent file names
28.02.2013 Page 31 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Valid Releases
Software Component Release FromRelease
ToRelease
andSubsequent
SAP_APPL 30 31I 31I
SAP_APPL 40 40B 40B
SAP_APPL 45 45B 45B
SAP_APPL 46C 46C 46C
SAP_BASIS 46 46A 46D
SAP_BASIS 60 610 640
SAP_BASIS 70 700 702
SAP_BASIS 71 710 730
SAP_BASIS NGAP 72L 72L
Support Packages
Support Packages Release Package Name
SAP_APPL 31I SAPKH31IB9
SAP_APPL 40B SAPKH40B89
SAP_APPL 45B SAPKH45B67
SAP_BASIS 46B SAPKB46B62
SAP_BASIS 46C SAPKB46C62
SAP_BASIS 46C SAPKB46C63
SAP_BASIS 620 SAPKB62070
SAP_BASIS 620 SAPKB62071
SAP_BASIS 640 SAPKB64027
SAP_BASIS 640 SAPKB64028
SAP_BASIS 640 SAPKB64029
SAP_BASIS 700 SAPKB70023
SAP_BASIS 700 SAPKB70024
SAP_BASIS 700 SAPKB70026
SAP_BASIS 701 SAPKB70108
SAP_BASIS 701 SAPKB70109
SAP_BASIS 701 SAPKB70111
SAP_BASIS 702 SAPKB70205
SAP_BASIS 702 SAPKB70206
SAP_BASIS 702 SAPKB70207
SAP_BASIS 702 SAPKB70209
SAP_BASIS 702 SAPKB70210
SAP_BASIS 710 SAPKB71012
SAP_BASIS 710 SAPKB71013
SAP_BASIS 710 SAPKB71014
SAP_BASIS 711 SAPKB71107
SAP_BASIS 711 SAPKB71108
SAP_BASIS 711 SAPKB71109
SAP_BASIS 720 SAPKB72004
28.02.2013 Page 32 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Support Packages Release Package Name
SAP_BASIS 720 SAPKB72005
SAP_BASIS 720 SAPKB72006
SAP_BASIS 720 SAPKB72007
SAP_BASIS 730 SAPKB73001
SAP_BASIS 730 SAPKB73002
SAP_BASIS 730 SAPKB73004
SAP_BASIS 730 SAPKB73005
SAP_BASIS 730 SAPKB73007
Related Notes
Number Short Text
1775317 Directory traversal in IS-PS-CA
1775171 Directory traversal in FI-CA
1745442 RFIMPNBS - Potential directory traversals
1725378 Path evaluation for SAPFTP functionality in CA-DMS
1718378 Directory Traversal in Query Snapshot
1710330 Path evaluation for SAPFTP functionality in BC-SRV-KPR
1699041 IN86: Potential Directory Traversal
1698242 FI: Potential Directory Traversal- Italy(RFIDITVCL)
1692988 Directory traversal in SFTP modules
1677913 Documents: Incorrect Document Creation via Batch Input
1677794 Erstellung der Einlieferungsdaten für die Deutsche Post AG
1658791 Directory traversal in Deposits Management
1627531 PT: Mapas Fiscais - Portaria nº 92-A/2011 XML for SNC forms
1620072 Directory traversal in PY-FR-IE
1615093 Directory traversal in IS-H-CM
1612092 PSM: Potential Directory Traversal
1608454 Directory traversal in IS-H-BD
1607881 Directory traversal in IS-H-CM
1606787 HR-RU: Potential directory traversal
1603934 Directory Traversal in XX-CSC-AR
1602943 FI-CA Potential directory traversal
1602328 Directory traversal in PY-FR
1600879 CA-DMS: Potential Directory Traversal
1599261 MM: Potential directory traversal
1599164 Directory traversal in FI-FM
1599094 HCM: Directory traversal in PT-TL
1599072 Directory traversal in RE-BD
1598990 FI: Potential Directory Traversal- Korea
1598898 DNF: Potential Directory Traversal
1598851 Directory traversal in PY-FR-IE
1598791 Potential Directory Traversal in PY-NL
1598699 Potential Directory Traversal in PY-NL
1598698 Potential Directory Traversal in PA-PF-NL
28.02.2013 Page 33 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Number Short Text
1598420 ZFM/ALC: Potential Directory Traversal
1598417 DIRF: Potential Directory Traversal
1598415 SINTEGRA: Potential Directory Traversal
1598360 MANAD: Potential Directory Traversal
1598285 Directory Traversal in Payroll Belgium PY-BE
1598152 Directory Traversal in Payroll Belgium PY-BE
1597920 FI: Potential Directory Traversal - RFIDITSR00
1597789 IN86: Potential Directory Traversal
1597786 Potential directory traversal - Finland (FOTV)
1597402 Directory traversal in XX-CSC-AT
1597158 FI: Potential Directory Traversal-Venezuela
1597146 FI: Potential Directory Traversal- Italy(RFIDITBLIST)
1597062 FI: Potential Directory Traversal-Spain
1596487 FI-Potential Directory Traversal: J_1AF016
1596473 Directory Traversal in XX-CSC-IN-FI
1596424 FI-Potential Directory Traversal: RFQSCI01
1595064 Bank statement: Potential directory traversal
1594978 Directory traversal in FI-CA
1594359 FI: Potential Directory Traversal - Mexico
1594294 FI: Potential Directory Traversal - Argentina
1593845 Clarification on implementation of Notes 1497003 and 1543851
1593605 FI-Potential Directory Traversal: J_1AF014
1593164 Directory Traversal in Treasury Confirmation
1592470 Directory traversal in the site master import/export
1591557 Potential directory traversal in utility report RPUOTFL0
1590764 EC-CS: Potential Directory Traversal
1590299 Directory Traversal in PP-BD-RTG
1589715 Directory traversal in card application component
1589424 Directory traversal in FI-CA
1589216 FI-AA Data Takeover: Potential Directory Traversal
1588734 FI-AP/AR: Potential Directory Traversal
1587411 Directory traversal in FI-CA-BI
1586893 Directory Traversal in LO-INT-ESO
1584976 FS-CD: Potential Directory Traversal
1584972 Directory traversal in FI-CA
1584421 FI-CA Potential Directory Traversal
1584242 Directory Traversal in the RSCRM framework
1582743 Directory Traversal issue in CA-GTF-RCM
1575722 Directory traversal in BW
1574333 Directory traversal in RE-RT-SC
1574302 Directory traversal in RE-BD and RE-RT
1573997 Potential Directory Traversal in Translation Tools
1571280 SLL-LEG-FUN-UPL: Directory Traversal
1566528 Directory traversal in IS-M
1564732 Installation of SPND on ERP 6.0
28.02.2013 Page 34 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Number Short Text
1556515 SLL-LEG-FUN-UPL: Directory Traversal
1543851 Potential directory traversals in applications
1542033 Update #1 for security note 1497003
1540257 Potential directory traversal in bill of exchange trans.
1537765 CA-DMS: Potential Directory Traversal
1535492 Directory Traversal in SCM-FRE-FRP
1535062 Directory Traversal in IS-R-LG-RMA
1534637 RN1_CORRECT_CORDTYPES: Potential Directory Traversal
1533996 HCM:Potential Directory Traversal in Payroll Switzerland
1533776 FI: Potential Directory Traversal
1533533 FI: Potential Directory Traversal- Belgium and France
1533500 Argentina J1ACAE: Potential Directory Traversal
1533478 FI-Potential Directory Traversal
1533447 FI: Potential Directory Traversal - PL/HU/CZ/IT
1533445 FI: Potential Directory Traversal - Austria
1532960 Funding Management: Potential directory traversals
1532325 LO-MD-MM: Directory traversal vulnerability
1531793 Potential directory traversals /CCEE/SIFI_EXPORT_GL_LINE
1531054 Potential Directory Traversal in XX-CSC-IL
1530895 Transaction IBIP: Potential Directory Traversal
1526997 Subsequent corr.: Directory Traversal in foreign trade
1526753 FI: Potential Directory Traversal-Additional corrections
1526102 IS-H: Directory Traversal Vulnerability in IS-H
1524781 Directory Traversal batch input BOMs
1522787 Directory Traversal in BC-SRV-KPR-CMS
1522150 Directory Traversal in BC-SRV-KPR-CMS
1521857 RN2_MSI_ADT: Directory Traversal
1521099 Directory Traversal in MM-PUR-VM-SET
1521084 Potential Directory Traversal for report RSTEXTA3
1521046 Potential Directory Traversal in Proposal Pool Export Funct.
1519061 IS-H AT: Directory Traversal in various reports
1518729 MM: Potential Directory Traversal
1518727 EC-PCA: Potential Directory Traversal
1518726 FIN-CGV-MIC: Potential Directory Traversal
1518587 EC-CS: Potential Directory Traversal
1518284 EWM: Potential Directory Traversal
1517930 Travel Expenses: Potential directory traversal
1517832 HCM:Potential Directory Traversal in Payroll Russia PY-RU
1517831 HCM:Potential Directory Traversal in Payroll NPO
1517830 HCM:Potential Directory Traversal in Payroll GB PS
1517828 HCM:Potential Directory Traversal in Payroll Singapore PY-SG
1517825 HCM: Potential Directory Traversal in Payroll Canada PY-CA
1517472 FI-GL-IS: Potential Directory Traversal
1514432 CM: Potential directory traversal issues
1514017 Directory Traversal in transactions CL6E and CL6F
28.02.2013 Page 35 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Number Short Text
1513492 Directory traversal in SAP Product and REACH Compliance
1512396 Potential directory traversals in application N2UX
1511995 CML/FIN-FSCM-CM: Potential Directory Traversal
1511889 Solving security issue in CPCC_DT_CREATE_SAMPLE_DATA
1511686 DART: Potential Directory Traversal
1511617 FI-BL-PT-FO: Possible directory traversal
1511612 Directory Traversal when displaying hardware information
1511552 Directory Traversal / 8 issues/reopen in EDT
1511119 ICM: Potential Directory Traversal
1511114 ICM: Potential Directory Traversal
1510866 RN1_CORRECT_CORDTYPES: Potential Directory Traversal
1510795 Potential directory traversals using report RLMG0020
1510789 Travel Expenses: Potential directory traversal
1510773 Directory Traversal in RFC modules in classification
1510642 Directory Traversal in foreign trade
1510478 MM: Potential Directory Traversal
1510407 IS-H: Directory Traversal Vulnerability in IS-H
1510372 FS-CD Potential Directory Traversal
1509975 Change access to a file allowed in product control
1509915 Directory Traversal in SAP Payment Engine
1509883 FI-CA Data Transfer - Directory Traversal
1509869 Market Data Interface: Potential Directory Traversal
1509800 Bank Statement: Potential Directory Traversal
1509794 Directory Traversal in transactions CL6E and CL6F
1509722 Potential directory traversals in Creating Limits
1509654 FI: Potential Directory Traversal - Turkey
1509631 RE-FX-SC, RE-FX-MM: Potential Directory Traversal
1509427 FI: Potential Directory Traversal - Spain
1509424 RE-Classic Potential Directory Traversal
1509403 Potential directory traversals in transaction TVDT
1509372 Healthcare Clinical System - Potential Directory Traversal
1509235 Directory Traversal in RFC modules in classification
1509179 Potential directory traversals in batch input programs
1508475 Potential directory traversals in RKEVEXT0
1508380 FI: Potential Directory Traversal-FRANCE
1508378 FI: Potential Directory Traversal - Austria
1508373 FI: Potential Directory Traversal - Portugal
1507980 Directory traversal in redemption schedule batch program
1507936 HCM: Potential Directory Traversal in German Payroll PY-DE
1507935 HCM: Potential Directory Traversal Internat. Payroll PY-XX
1507789 FI: Potential Directory Traversal - China
1507279 FI: Potential Directory Traversal
1507211 FI: Potential Directory Traversal
1507122 FI-CA Potential Directory Traversal
1506843 FI: Potential Directory Traversal
28.02.2013 Page 36 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Number Short Text
1506736 CML: Potential Directory Traversal
1505512 Bank master data: Potential Directory Traversal
1505368 EHS: Potential Directory Traversal
1504497 COPA: Potential Directory Traversal
1504446 Directory Traversal in the RCCF engines
1504445 Directory Traversal in the RCCF engines
1504416 Potential Directory Traversal
1504205 CM: Potential Directory Traversal ICL_VEHCATALOG
1504203 CM: Potential Directory Traversal ICL_DIAG_UPLOAD
1504190 PSM: Potential Directory Traversal
1504122 CM: Potential Directory Traversal ICL_ICLCLAIMDATA_UPLOAD
1504116 CM: Potential Directory Traversal ICL_DATA_UP_DOWNLOAD
1504062 SCM: Potential Directory Traversal
1503884 Directory Traversal in ISMW
1502931 IS: Potential Directory Traversal
1502918 Directory Traversal in Archivelink function modules
1502766 BCA: Potential Directory Traversal
1502539 Directory traversal in job commander
1502331 Directory traversal: DUEVA download in old regulatory rptg
1502330 Directory traversal in DUEVA download function of BaFin
1502329 Directory traversal: Download for old FMA in Austria
1502295 Directory Traversal in BC-SRV-KPR-CMS
1501905 Directory traversal: Old regulatory rptg in Austrian FMA
1501874 Investment Management: Potential Directory Traversal
1501632 FIN-SEM: Potential Directory Traversal
1501631 CO-OM: Potential Directory Traversal
1500050 LO-MD-MM: Potential Directory Traversal
1499116 FI: Potential Directory Traversal
1499042 Directory Traversal in batch input reports in class system
1498832 FI: Potential Directory Traversal
1497792 Solving security issue in TAO Agent
1493379 Directory traversal in the SCM Optimizers
1489912 BCA: Potential Directory Traversal
1488739 CML: Possible directory traversal
1488541 Potential Directory Traversal in RCCULC01
1487019 Directory Traversal in RM_INITIAL_DATA_LOAD
1473165 Obsolete programs in PSM-FG - Directory Traversal
1471687 Directory traversal in VKT_READ_FORM_AC
1471495 Directory Traversal in report CRM_LEAS_MIGRATE_BILS
Attributes
28.02.2013 Page 37 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Attribute Value
Security Security is endangered
Attachments
FileType
File Name Language Size
PDF SecurityAuditLog.pdf E 142 KB
PDF SecureProgramming_LogFileNames.pdf E 97 KB
ZIP Basis_620_and_higher.zip E 204 KB
PDF Logical_File_Names.pdf E 112 KB
PDF Logische_Dateinamen.pdf E 114 KB
ZIP RSFILECR.zip E 36 KB
ZIP Basis_46C_and_lower.zip E 58 KB
SP Patch Level
Software Component Version Support Package SP PatchLevel
SAP KERNEL 6.40 32-BIT UNICODE SP353 000353
SAP KERNEL 6.40 64-BIT UNICODE SP353 000353
SAP KERNEL 7.00 32-BIT SP278 000278
SAP KERNEL 7.10 32-BIT SP224 000224
SAP KERNEL 7.00 32-BIT UNICODE SP278 000278
SAP KERNEL 7.00 64-BIT SP278 000278
SAP KERNEL 7.00 64-BIT UNICODE SP278 000278
SAP KERNEL 7.10 64-BIT UNICODE SP224 000224
SAP KERNEL 7.10 64-BIT SP224 000224
SAP KERNEL 7.10 32-BIT UNICODE SP224 000224
SAP KERNEL 7.2L 64-BIT UNICODE SP023 000023
ACF 7.12 SP000 000035
SAP ITS 6.20 SP040 000040
SAP KERNEL 6.40 32-BIT SP353 000353
SAP KERNEL 6.40 64-BIT SP353 000353
R/3 KERNEL 3.1I_EXT 32-BIT SP786 000786
SAP KERNEL 4.0B_EXT 32-BIT SP1076 001076
SAP KERNEL 4.5B_EXT 32-BIT SP1007 001007
SAP KERNEL 4.6D_EXT 32-BIT SP2551 002551
SAP KERNEL 4.0B_EXT 64-BIT SP1076 001076
R/3 KERNEL 3.1I_EXT 64-BIT SP786 000786
SAP KERNEL 4.6D_EXT 64-BIT SP2551 002551
SAP KERNEL 4.5B_EXT 64-BIT SP1007 001007
SAP GUI FOR WINDOWS 7.10 CORE SP002 000002
SAP KERNEL 4.6D_EX2 32-BIT SP2551 002551
SAP KERNEL 6.40_EX2 32-BIT SP353 000353
SAP KERNEL 6.40_EX2 32-BIT UC SP353 000353
SAP KERNEL 4.6D_EX2 64-BIT SP2551 002551
28.02.2013 Page 38 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Software Component Version Support Package SP PatchLevel
SAP KERNEL 6.40_EX2 64-BIT SP353 000353
SAP KERNEL 6.40_EX2 64-BIT UC SP353 000353
SAP KERNEL 7.01 32-BIT SP118 000118
SAP KERNEL 7.01 32-BIT UNICODE SP118 000118
SAP KERNEL 7.01 64-BIT SP118 000118
SAP KERNEL 7.01 64-BIT UNICODE SP118 000118
SAP KERNEL 7.11 32-BIT SP110 000110
SAP KERNEL 7.11 32-BIT UNICODE SP110 000110
SAP KERNEL 7.11 64-BIT SP110 000110
SAP KERNEL 7.11 64-BIT UNICODE SP110 000110
SAP KERNEL 7.20 32-BIT SP068 000068
SAP KERNEL 7.20 32-BIT UNICODE SP068 000068
SAP KERNEL 7.20 64-BIT SP068 000068
SAP KERNEL 7.20 64-BIT UNICODE SP068 000068
Symptoms - Side-Effects
The following SAP Notes correct this SAP Note / patch:
SAP NoteReason
Versionfrom
Versionto
SAP NoteSolution
Version SupportPackage
1497003 1542033 1
1497003 1549786 1
1497003 1550116 1
1497003 1605703 1
Correction Instructions
CorrectionInstructions
Validfrom
Validto
SoftwareComponent
Type*)
ReferenceCorrection
LastChanged
926823 45B 45B SAP_APPL C Y4DK8A0BK0 04.01.201105:17:50
926824 40B 40B SAP_APPL C Y4BK012323 04.01.201105:18:18
926825 31I 31I SAP_APPL C P3IK061635 04.01.201105:18:56
939926 31I 31I SAP_APPL C P3IK061690 04.01.201105:50:28
939927 40B 40B SAP_APPL C Y4BK012347 04.01.201106:22:34
939928 45B 45B SAP_APPL C Y4DK8A0BKA 04.01.201106:23:15
917253 620 620 SAP_BASIS C Y6BK103681 04.01.201105:07:26
926803 730 730 SAP_BASIS C Y3YK004199 04.01.201105:09:43
28.02.2013 Page 39 of 40
SAP Note 1497003 - Potential directory traversals inapplications
CorrectionInstructions
Validfrom
Validto
SoftwareComponent
Type*)
ReferenceCorrection
LastChanged
926815 720 720 SAP_BASIS C Y2ZK030019 04.01.201105:10:48
926816 711 711 SAP_BASIS C Y7DK050700 04.01.201105:11:44
926818 702 710 SAP_BASIS C Y7CK057280 04.01.201106:57:22
926819 701 701 SAP_BASIS C Y1AK054397 04.01.201105:14:33
926820 700 700 SAP_BASIS C Y7AK115700 04.01.201105:15:24
926821 640 640 SAP_BASIS C Y6DK092194 04.01.201105:16:23
926822 46B 46B SAP_BASIS C Y9BK034693 04.01.201105:17:10
935951 620 730 SAP_BASIS C YI2K044400 22.12.201003:15:33
937781 730 730 SAP_BASIS C Y3YK005937 04.01.201105:35:29
937782 730 730 SAP_BASIS C Y3YK005341 04.01.201105:36:30
937868 720 720 SAP_BASIS C Y2ZK031052 04.01.201105:38:04
937869 711 711 SAP_BASIS C Y7DK051991 04.01.201105:38:57
937870 710 710 SAP_BASIS C Y7CK058491 04.01.201105:39:27
937871 702 702 SAP_BASIS C YI2K042223 04.01.201106:58:32
937872 701 701 SAP_BASIS C Y1AK055738 04.01.201106:59:05
937873 700 700 SAP_BASIS C Y7AK116905 04.01.201106:59:32
937924 640 640 SAP_BASIS C Y6DK093063 04.01.201105:42:23
937925 620 620 SAP_BASIS C Y6BK104291 04.01.201105:43:14
938249 701 701 SAP_BASIS C Y1AK055255 04.01.201105:44:21
939850 711 711 SAP_BASIS C Y7DK051537 04.01.201105:45:07
939851 702 710 SAP_BASIS C Y7CK058065 04.01.201105:46:10
939853 700 700 SAP_BASIS C Y7AK116978 04.01.201105:47:50
939897 46C 46C SAP_BASIS C Y9CK064936 04.01.201105:48:34
939924 640 640 SAP_BASIS C Y6DK092787 04.01.2011
28.02.2013 Page 40 of 40
SAP Note 1497003 - Potential directory traversals inapplications
CorrectionInstructions
Validfrom
Validto
SoftwareComponent
Type*)
ReferenceCorrection
LastChanged
05:49:12
939925 620 620 SAP_BASIS C Y6BK104090 04.01.201105:49:49
939929 46C 46C SAP_BASIS C Y9CK065122 04.01.201106:23:57
951576 620 620 SAP_BASIS C Y6BK104558 04.01.201106:54:57
952327 730 730 SAP_BASIS C Y3YK008466 04.01.201106:54:20
952328 720 720 SAP_BASIS C Y2ZK033239 04.01.201106:53:55
952329 711 711 SAP_BASIS C Y7DK053557 04.01.201106:53:21
952330 702 710 SAP_BASIS C Y7CK059898 04.01.201106:52:57
952331 701 701 SAP_BASIS C Y1AK057454 04.01.201106:51:51
952332 700 700 SAP_BASIS C Y7AK118479 04.01.201107:05:25
952333 640 640 SAP_BASIS C Y6DK093482 04.01.201107:05:44
*) C Correction, B Preprocessing, A Postprocessing, M Undefined Work