28.02.2013 Page 1 of 40 SAP Note 1497003 - Potential directory traversals in applications Note Language: English Version: 16 Validity: Valid Since 02.02.2011 Summary Symptom This Security Note has been updated. See the following notes for details: 1. 1542033 Potential directory traversals in applications using physical file names or logical file names as input. Other terms path traversal, FILE_VALIDATE_NAME, FILE_GET_NAME, FILE, SF01, FILE_NOT_FOUND, LOGICAL_FILENAME_NOT_FOUND, VALIDATION_FAILED, SG 001, 805, 806, 807, 808, 809 Reason and Prerequisites Some SAP applications contain vulnerabilities through which a malicious user can potentially read or write arbitrary files on the application server, possibly disclosing confidential information or corrupting data or altering system behavior. The problem is typically caused by user interfaces that allow input of a physical file name, or selection of an arbitrary logical file name. Important Note If you do not carry out the steps as described in note 1497003 you will create a syntax error in one of the central function groups of your system and make your system unusable. Please refer to note 1550116 for additional information. Solution In order to address this issue without disrupting established processes, SAP introduces the following enhancements to the ABAP runtime (KERNEL and SAP_BASIS): 1. All file system paths are normalized before checks against authorization object S_DATASET or customizing table SPTH are performed. Normalization means, that: a) Redundant '.'s are removed (e.g. a/./b => a/b). b) Path components followed by '..' are removed (e.g. a/b/../c => a/c) - Note that for links this semantic is not identical to following .. on the real file system. SAP recommends not to use .. and in particular not the combination of .. and links. c) If a platform supports different path separators, path separators are replaced by their default representation (Windows allows either '/' or '\', so a/b\c => a\b\c) 2. Comparison against paths in authorization checks will be case insensitive on Windows, as Windows doesn't distinguish letter case in file names.
Transcript
28.02.2013 Page 1 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Note Language: English Version: 16 Validity: Valid Since 02.02.2011
Summary
SymptomThis Security Note has been updated. See the following notes for details:
1. 1542033
Potential directory traversals in applications using physical file names orlogical file names as input.
Reason and PrerequisitesSome SAP applications contain vulnerabilities through which a malicioususer can potentially read or write arbitrary files on the applicationserver, possibly disclosing confidential information or corrupting data oraltering system behavior. The problem is typically caused by userinterfaces that allow input of a physical file name, or selection of anarbitrary logical file name.
Important NoteIf you do not carry out the steps as described in note 1497003 you willcreate a syntax error in one of the central function groups ofyour system and make your system unusable. Please refer to note1550116 for additional information.
SolutionIn order to address this issue without disrupting established processes,SAP introduces the following enhancements to the ABAP runtime (KERNEL andSAP_BASIS):
1. All file system paths are normalized before checks againstauthorization object S_DATASET or customizing table SPTH areperformed. Normalization means, that:
a) Redundant '.'s are removed (e.g. a/./b => a/b).
b) Path components followed by '..' are removed (e.g. a/b/../c => a/c)- Note that for links this semantic is not identical to following.. on the real file system. SAP recommends not to use .. and inparticular not the combination of .. and links.
c) If a platform supports different path separators, path separatorsare replaced by their default representation (Windows allows either'/' or '\', so a/b\c => a\b\c)
2. Comparison against paths in authorization checks will be caseinsensitive on Windows, as Windows doesn't distinguish letter case infile names.
28.02.2013 Page 2 of 40
SAP Note 1497003 - Potential directory traversals inapplications
3. Flags FS_NOREAD and FS_NOWRITE and checks against authorization objectS_PATH are implemented as described in the Online Documentation, e.g.athttp://help.sap.com/saphelp_nw70/helpdata/en/fc/eb3d69358411d1829f0000e829fbfe/frameset.htm (for NetWeaver 7.0)orhttp://help.sap.com/saphelp_bw/helpdata/en/fc/eb3d69358411d1829f0000e829fbfe/frameset.htm (for BW)
4. A mechanism to validate physical file names against a logical filename, giving administrators the option to configure directories thatare valid in the respective application context. For user interfacesthat allow input of a logical file name, adminstrators can define aset of aliases of logical file names valid within that scenario.Please refer to the documentation on logical file names for moreinformation on this indirection mechanism. The documentation is alsoattached to this note as a PDF file.
5. Please note that this mechanism does not ensure security unless youconfigure physical file names or aliases, thus enforcing validation.In order to suppport customers with that task, report RSFILENA hasbeen enhanced in order to spot logical file names that are notconfigured to use the implemented validation mechanism.
The central mechanism is used in application code updated by the referencednotes. All of these notes describe changes to applications, where
a) Physical file names can entered without sufficient validation.
b) Logical file names can be selected without sufficient validation.
c) a) or b) in code or functionality that SAP considers obsolete andthat is therefore removed or disabled as otherwise customers wouldhave to configure obsolete validations as well.
Implementation
1. Please update your kernel at least to the patchlevel indicated in theSP Patch Level section of this note. Please note that the kernel patchpackage referenced in the SP Patch Level section is the "disp+workpackage". This kernel patch level was released in December 2010 and isdefinitely available for all releases.
Note: the corrections below do not have a hard dependency on thekernel change and therefore can be implemented before updating thekernel. However in order to avoid inconsistent runtime checking,SAP recommends to update the kernel as soon as possible and nolater than starting the configuration process.
2. Please implement support packages as indicated in the support packagesection of this note and the notes referencing it. Alternativeley youcan apply the respective correction instructions. As quite a number ofobjects were added, a transport is being made available that containsall new objects of this note (logical file name functionality). For
28.02.2013 Page 3 of 40
SAP Note 1497003 - Potential directory traversals inapplications
releases 640 and below, another transport containing the modifiedobjects is available as well, plus a transport containing reportRSFILECR.
Note: when importing the transports be sure to have versioningturned on. You may have to use unconditional mode to ensure anyother corrections or modifications are not blocking the import. Besure to check the transport results and follow up on conflicts ifany.
3. The logical file name and file path definitions of applications arealso delivered via report RSFILECR that needs to be executed onceafter implementation of the correction instructions.
The report also changes the fixed values of domain FILEFORMAT.Depending on your release and support package level you might get acorresponding message or you might have to register the object forchanges before the fixed values can be changed.
4. The correction instructions in this note do not fix any of thesevulnerabilities but instead provide standard functionality andinstructions to address this kind of vulnerability in applications.You need to implement the referenced notes as well and follow theconfiguration instructions below in order to secure the applications.
Please refer to related notes for applications affected andadopting this solution. SAP recommends to implement (and thenconfigure) all notes of all software components installed in therespective system, irrespective of whether the application is used,as otherwise - depending on your authorization implementation -vulnerabilities in unused application might be exploited by amalicious user.
5. You should also check whether your own coding contains similarvulnerabilities. Please refer to the attached secure programming guideon logical file names (SecureProgramming_LogFileNames.pdf). Startingwith NetWeaver release 7.00 you can use the report RS_ABAP_SOURCE_SCANto search for any OPEN DATASET statements in applications belonging toyour own namespaces (Y*, Z*, maybe others you registered).
Configuration
1. If authorization object S_DATASET is used (i.e. it contains real filesystem paths, not only *), these paths must be normalized inaccordance with 1. above.
2. If customizing table SPTH contains any path entries, they must benormalized as well. As customizing table SPTH cannot distinguishbetween different operating systems, all paths for all applicationservers have to be maintained in their normalized form.
28.02.2013 Page 4 of 40
SAP Note 1497003 - Potential directory traversals inapplications
3. If customizing table SPTH contains any entries in the fields FS_NOREADor FS_NOWRITE make sure that these entries are really intended. Beespecially careful with an entry PATH=*, FS_NOREAD=X,FS_NOWRITE=X as it disallows any access to the file system exceptfor paths explicitly maintained in SPTH. Also Path PATH=*,FS_NOREAD=X, FS_NOWRITE=' ' has the same effect as PATH=*,FS_NOREAD=X, FS_NOWRITE=X.
4. Implementing the support package or corrections does not enable thevalidation features. Administrators will have to configure the logicalpaths of logical file names accordingly. Please refer to the attacheddocumentation on logical file names for instructions how to useconfiguration tools.
Whether you enforce path validation immediatly or use a grace period maydepend on whether you had instructions to use specific physical paths inplace previously and also on the confidentiality level of files stored onthe application server. In order to support administrators with the task ofidentifying file locations in use, the security audit log can be configuredto log any validation that is not performed due to unconfigured paths ormissing aliases, as well as any validation that fails due to the file namebeing outside the defined paths. If you use this feature, you shouldregularly check the security audit log for any file name not configured andalso help users migrate to a valid path. Please note that activating filename validation will also affect previously scheduled jobs for thecorresponding programs. Once you activate file name validation you shouldmonitor job results closely in order to avoid disruptions.Documentation of the security audit log is attached as a PDF to this note.
In releases 31I to 46C the system log is used instead of thesecurity audit log.
In case business users are supposed to specify file names in different filepaths in the application server file system, SAP recommends that you defineadditional logical file names in customer name space Y* or Z*, pointing todifferent file paths in the application server file system, and define themas aliases of the SAP defined logical file name.Please note that aliases are checked in ascending alphabetical order. Ifthe user specifies a physical file name which does not match thespecifications of any of the aliases the user will be directed to specify aphysical file name according to the last alias.
ExampleProgram EXAMPLE_ACCESS_APPL_SERVER_FILE uses logical file nameEXAMPLE_FILE to validate user input. You defined EXAMPLE_FILE so theuser should specify a file name in directory /usr/SAP/tmp/test. You alsocreated logical file name ZTEST_FILE and defined it so the user shouldspecify a file name in directory /usr/SAP/work/test. You definedZTEST_FILE as an alias for EXAMPLE_FILE. If the user specifies a filename outside both of file paths you specified the user will notified that afile name in directory /usr/SAP/work/test must be specified.
SAP recommends to configure all logical paths delivered for file namevalidation. If you are not actively using all applications or integrationscenarios you should assign a physical path for which the application
28.02.2013 Page 5 of 40
SAP Note 1497003 - Potential directory traversals inapplications
server user used for file access is not authorized to each of thevalidation file names. Alternatively you can create a logical file nameusing such a physical path and assign this new logical file name as analias to all validation file names which should not be used in your system.
You can run report RSFILENA to check for any unconfigured logical filenames. This report is also available in the Implementation Guide (IMG) atSAP Customizing Implementation Guide >> SAP Netweaver >> Application Server>> Syste Administration >> Platform-Independent File Names >> Run Analysis
Troubleshooting
1. Incomplete implementation
Syntax errors like 'The type "CL_FS_PATH" is unknown' or runtimeerrors like CALL_FUNCTION_NOT_FOUND or CX_SY_DYN_CALL_ILLEGAL_FUNCindicate an incomplete implementation. Be sure to follow the manualsteps precisely or import the transports.
2. Incomplete configuration
The exceptions FILE_NOT_FOUND and LOGICAL_FILENAME_NOT_FOUND or themessages 001 and 807 of the message group SG indicate that thelogical file name used by the application does not exist in theconfiguration. Please execute report RSFILECR and use transactionFILE to create the logical file name. If the problem persists,please create the logical file name manually with transaction FILE.
3. Failing authorization checks (functionFILE_AUTHORITY_CHECK, statement OPEN DATASET,authorization check S_DATASET or S_PATH)
a) Please check whether the kernel has been updated and thecorrections have been applied. If the kernel and the corrections ofthe notes are inconsistent, it can be very difficult to debuginconsistent customizing and authorizations as only part of thesystem is performing normalization. E.g. an explicit call tofunction module AUTHORITY_CHECK_DATASET may grant access to acertain file while the actual call via statement OPEN DATASETdenies it or vice versa. There is no issue in case only normalizedpaths are used.
b) Please check contents of customizing table SPTH for any linecontaining * plus the flags FS_NOREAD or FS_NOWRITE set to 'X'. Incase such an entry exists, you will have to add all file systemlocations used, possibly using multiple system specific paths. As atemporary workaround you can delete all entries from customizingtable SPTH until reasons for the issues have been resolved.
c) Please check authorizations for authorization object S_DATASET forany missing directories. An entry of * grants access to all files.
4. Path normalization is active by default, but can be deactivated bysetting the profile parameter 'abap/path_normalization' to value
28.02.2013 Page 6 of 40
SAP Note 1497003 - Potential directory traversals inapplications
'off'. Please note that normalization is a prerequisite forvalidation. Please configure that profile parameter only when advisedby SAP development support.
------------------------------------------------------------------------|Manual Pre-Implement. |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_APPL SAP Application || Release 31I Until SAPKH31IB8 || Release 40B Until SAPKH40B88 || Release 45B Until SAPKH45B66 |------------------------------------------------------------------------
Please download the ZIP archive attached to this note corresponding to yourrelease (see table below), extract the transport files and import thetransport request(s) into your correction system.
Note: Releases 620 and 640Depending on the level of your basis support package you will have tocreate the function module RSAU_WRITE_FILE_AUDIT_LOG as described below.
Also, you need to create the program RSFILECR using transaction SE38.Please specify the following attributes when creating the program:Attribute ValueTitle RSFILECRPackage / Development Class SFIL
Release Independent InformationThe transport requests only contain part of the objects which need to bechanged for this security correction. Even if you import the transportrequest you still need to apply the correction instructions.
If you have decided to import the transport request as suggested you do notneed to read through the following instructions (exceptions for releases620 and 640 see above table).
Alternative: Manual StepsIt is recommended that you import the transport file as described above.This highly reduces the potential for copy & paste errors or other errorswhen manually applying the necessary changes. Also, the transport filescontain long texts as well as translations of translation relevant objects.
If you are sure that you cannot import the attached transport request youhave to perform the following manual steps. Please note that depending onyour basis release and support package you will have to create additionalobjects (like programs, function modules, etc.) manually before being able
28.02.2013 Page 7 of 40
SAP Note 1497003 - Potential directory traversals inapplications
to implement the corrections automatically via SNOTE.
If you decide to implement the corrections manually you need to implementthe correction instructions according to note 1543851 via SNOTE as wellsince they contain the changes to the individual objects which have to becorrected.However, since the correction instructions of note 1497003 are marked asprerequisite for the corresponding security notes of the individualapplication components you still need to execute SNOTE for note 1497003.When you execute SNOTE for note 1497003 be sure to remove the checkboxesfor all objects before continuing. The system will then request that youconfirm that the note has been completely implemented anyway. You have toconfirm this. Otherwise you will not be able to apply the correctioninstructions for the application components' security notes.If you do not remove the checkboxes while applying the correctioninstructions for note 1497003 in this scenario it is possible that(depending on your release and support package level) some corrections willbe applied twice resulting in syntax errors in central function groupsalmost making it impossible to perform any activities in the system.
Add Fixed Value for Domain FILEFORMATFixed value Short textDIR Check directory for file name validationActivate the changes.
Create New Data Element FILE_ALIASAttribute ValueShort Text Alias for a Logical File NameDomain Name FILEINTERNShort Text AliasMedium Text Alias Logical FileLong Text Alias for a Logical File NameHeader Alias for a Logical File NameActivate the changes.
Create New Data Element FILE_LAPPLAttribute ValueShort Text Logical File Name of the ApplicationDomain Name FILEINTERNShort Text FileMedium Text Application: FileLong Text Application: Logical File NameHeader Logical File Name of the ApplicationActivate the changes.
Create New Structure FILE_TS_FI
1. General PropertiesAttribute ValueShort text Logical File Names
2. Field ListField Data ElementFILENAME FILEINTERN
28.02.2013 Page 8 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Activate the changes.
Create New Database Table FILEA31I
3. General PropertiesAttribute ValueShort Text Aliases for Validation of Logical File NamesDelivery ClassGTab.Maint.Allowed Checked
4. Field ListField Key Data ElementRCLNT X MANDTLOGFILE_AP X FILE_LAPPLSEQNR X SEQNRLOGFILE_AL FILE_ALIAS
5. Foreign KeysDefine foreign key relationship for the following fields:
- LOGFILE_AP
- LOGFILE_AL
a) Accept proposed check table and fields.
b) Activate the changes.
Create New View Maintenance
6. Create DDIC view V_FILEA31I:
a) Start transaction SE54.
b) Specify Table/View V_FILEA31I.
c) Select option ABAP Dictionary.
d) Choose function Create/change.Attribute ValueType ViewDevelopment Class SFILShort Text Aliases for Validation of File NamesTable FILEA31I
e) View FieldsView field Table Field nameRCLNT FILEA31I RCLNTLOGFILE_AP FILEA31I LOGFILE_APSEQNR FILEA31I SEQNRLOGFILE_AL FILEA31I LOGFILE_AL
f) Active the changes.
28.02.2013 Page 9 of 40
SAP Note 1497003 - Potential directory traversals inapplications
7. Generate Objects
a) Start transaction SE54.
b) Specify Table/View V_FILEA31I.
c) Select option Generated Objects.
d) Choose function Create/change.Attribute ValueFunction Group1SFNAuthorization Group SCMaintenance Type one stepOverview screen 100
e) Choose function Create.
f) Follow the dialog to create the view maintenance objects.
Create New Messages
8. Start transaction SE91.
9. Specify message class SG.
10. Choose option Messages.
11. Choose function Change.
12. Create the following messages. Please note that due to formattingreasons spaces were added within the quoatation marks for theplaceholders (&1, &2, &3, &4). Please remove these spaces in yoursystem.
Number Short Text805 File '&1 &2 ' is not in the directory area '&3 &4 '.806 File name '&1 &2 ' is not permitted; a permissible file name is '&3 &4'.807 Logical file name '&1' does not exist808 Specify a file name in '&1 &2 '809 Logical file name '&1' not allowed
13. Save the changes.
Create New System Log Messages
14. Start transaction SE92.
15. Create the following messages:System log no.Short textCU Q Logical file name &A not configured. Physical file name &B cannot bevalidatedCU R Physical file name &B does not meet requirements set by logical filename &ACU S Logical file name &B is not a valid alias for logical file name &ACU T No validation active for logical file name &A
28.02.2013 Page 10 of 40
SAP Note 1497003 - Potential directory traversals inapplications
16. Save the changes.
Create New Function Modules
17. FILE_GET_LOGFILE_ALIAS
a) Go to transaction SE37.
b) Specify function module FILE_GET_LOGFILE_ALIAS.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_GET_LOGFILE_ALIASFunction groupSFILShort text FILE_GET_LOGFILE_ALIAS
e) Create the following import parameters:Import parameter Reference field Proposal OptionalED_LOGFILE_APPL FILENAMECI-FILEINTERNED_CLIENT SY-MANDT SY-MANDT X
f) Create the following table parameters:Table parameters Reference structure OptionalCTS_ALIAS FILE_TS_FI X
g) Save the changes.
18. FILE_LOGFILE_ALIAS_F4
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_F4.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_F4Function groupSFILShort text FILE_LOGFILE_ALIAS_F4
e) Create the following import parameters:Import parameter Reference field Proposal OptionalED_LOGFILE_APPL FILENAME-FILEINTERNED_PARAMETER_NAME XED_PROGRAM_NAME SY-REPID SY-CPROG XED_SCREEN_NUMBER SY-DYNNR SY-DYNNR X
f) Create the following changing parameters:CHANGING parameter Reference fieldCD_LOGICAL_FILE FILENAME-FILEINTERN
g) Save the changes.
28.02.2013 Page 11 of 40
SAP Note 1497003 - Potential directory traversals inapplications
19. FILE_LOGFILE_ALIAS_PAI
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PAI.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PAIFunction groupSFILShort text FILE_LOGFILE_ALIAS_PAI
e) Create the following import parameters:Import parameter Reference field Proposal OptionalED_LOGFILE_APPL FILENAMECI-FILEINTERN
f) Create the following changing parameters:CHANGING parameter Reference structureCD_LOGICAL_FILE FILENAMECI-FILEINTERN
g) Create the following exceptions:ExceptionEXC_INVALID_FILENAMEEXC_VALIDATION_ERROR
h) Save the changes.
20. FILE_LOGFILE_ALIAS_PBO
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PBO.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PBOFunction groupSFILShort text FILE_LOGFILE_ALIAS_PBO
e) Create the following import parameters:Import parameter Reference field Proposal OptionalED_LOGFILE_APPL FILENAMECI-FILEINTERNED_PARAMETER_NAME X
f) Create the following changing parameters:CHANGING parameter Reference structureCD_LOGFILE_PARAM FILENAMECI-FILEINTERN
g) Save the changes.
28.02.2013 Page 12 of 40
SAP Note 1497003 - Potential directory traversals inapplications
21. FILE_VALIDATE_NAME
a) Go to transaction SE37.
b) Specify function module FILE_VALIDATE_NAME.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_VALIDATE_NAMEFunction groupSFILShort text FILE_VALIDATE_NAME
e) Create the following import parameters:Import parameter Reference field Proposal Optional ReferenceCLIENT SY-MANDT SY-MANDT X XLOGICAL_FILENAME FILENAME-FILEINTERN XOPERATING_SYSTEM SY-OPSYS SY-OPSYS X XPARAMETER_1 X XPARAMETER_2 X XPARAMETER_3 X XWITH_FILE_EXTENSION SY-DATAR X XUSE_BUFFER SY-DATAR X XELIMINATE_BLANKS SY-DATAR X X
f) Create the following export parameters:Export parameters ReferenceVALIDATION_ACTIVE X
g) Create the following changing parameters:CHANGING parameterPHYSICAL_FILENAME
h) Create the following table parameters:Table parameters Reference structure OptionalTS_ALIAS FILE_TS_FI X
i) Create the following exceptions:ExceptionLOGICAL_FILENAME_NOT_FOUNDVALIDATION_FAILED
j) Save the changes.
22. RSAU_WRITE_FILE_AUDIT_LOG
a) Go to transaction SE37.
b) Specify function module RSAU_WRITE_FILE_AUDIT_LOG.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name RSAU_WRITE_FILE_AUDIT_LOG
28.02.2013 Page 13 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Function groupSECUShort text RSAU_WRITE_FILE_AUDIT_LOG
e) Create the following import parameters:Import parameter Reference typeIV_LOGICAL_FILE_PROBLEM IIV_PARAM_1IV_PARAM_2
f) Create the following exceptions:ExceptionPARAMETER_ERROR
g) Save the changes.
Create New Includes
23. LSFILF03
a) Go to transaction SE38.
b) Specify program LSFILF03.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueTitle LSFILF03Type Include program
e) Save the changes.
------------------------------------------------------------------------|Manual Pre-Implement. |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_BASIS SAP Basis compo...|| Release 620 Until SAPKB62069 || Release 640 Until SAPKB64027 || Release 700 Until SAPKB70023 || Release 710 Until SAPKB71011 || Release 711 Until SAPKB71106 || Release 701 Until SAPKB70108 || Release 702 Until SAPKB70206 || Release 730 Until SAPKB73001 || Release 720 Until SAPKB72004 |------------------------------------------------------------------------
Please download the ZIP archive attached to this note corresponding to yourrelease (see table below), extract the transport files and import thetransport request(s) into your correction system.
SAP Note 1497003 - Potential directory traversals inapplications
Note: Releases 620 and 640Depending on the level of your basis support package you will have tocreate the function module RSAU_WRITE_FILE_AUDIT_LOG as described below.
Also, you need to create the program RSFILECR using transaction SE38.Please specify the following attributes when creating the program:Attribute ValueTitle RSFILECRPackage / Development Class SFIL
Release Independent InformationThe transport requests only contain part of the objects which need to bechanged for this security correction. Even if you import the transportrequest you still need to apply the correction instructions.
If you have decided to import the transport request as suggested you do notneed to read through the following instructions (exceptions for releases620 and 640 see above table).
Alternative: Manual StepsIt is recommended that you import the transport file as described above.This highly reduces the potential for copy & paste errors or other errorswhen manually applying the necessary changes. Also, the transport filescontain long texts as well as translations of translation relevant objects.
If you are sure that you cannot import the attached transport request youhave to perform the following manual steps. Please note that depending onyour basis release and support package you will have to create additionalobjects (like programs, function modules, etc.) manually before being ableto implement the corrections automatically via SNOTE.
If you decide to implement the corrections manually you need to implementthe correction instructions according to note 1543851 via SNOTE as wellsince they contain the changes to the individual objects which have to becorrected.However, since the correction instructions of note 1497003 are marked asprerequisite for the corresponding security notes of the individualapplication components you still need to execute SNOTE for note 1497003.When you execute SNOTE for note 1497003 be sure to remove the checkboxesfor all objects before continuing. The system will then request that youconfirm that the note has been completely implemented anyway. You have toconfirm this. Otherwise you will not be able to apply the correctioninstructions for the application components' security notes.If you do not remove the checkboxes while applying the correctioninstructions for note 1497003 in this scenario it is possible that(depending on your release and support package level) some corrections willbe applied twice resulting in syntax errors in central function groupsalmost making it impossible to perform any activities in the system.
Add Fixed Value for Domain FILEFORMATFixed value Short textDIR Check directory for file name validationActivate the changes.
28.02.2013 Page 15 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Create New Data Element FILE_ALIASAttribute ValueShort Text Alias for a Logical File NameDomain Name FILEINTERNShort Text AliasMedium Text Alias Logical FileLong Text Alias for a Logical File NameHeader Alias for a Logical File NameActivate the changes.
Create New Data Element SEQNR_NUMC3Attribute ValueShort Text Alias for a Logical File NameDomain Name NUMC3Short Text SeqNrMedium Text Sequential NumberLong Text Sequential NumberHeader Sequential NumberActivate the changes.
Create New Data Element FILE_LAPPLAttribute ValueShort Text Logical File Name of the ApplicationDomain Name FILEINTERNShort Text FileMedium Text Application: FileLong Text Application: Logical File NameHeader Logical File Name of the ApplicationActivate the changes.
Create New Table Type Structure FILE_TS_FILEINTERN
1. General PropertiesAttribute ValueShort text Logical File NamesLine type FILEINTERNAccess Sorted TableKey Standard, Non-UniqueActivate the changes.
Create New Database Table FILEALIAS
2. General PropertiesAttribute ValueShort Text Aliases for Validation of Logical File NamesDelivery ClassGTab.Maint.Allowed Checked
3. Field ListField Key Data ElementRCLNT X MANDTLOGFILE_APPL X FILE_LAPPL
28.02.2013 Page 16 of 40
SAP Note 1497003 - Potential directory traversals inapplications
SEQNR X SEQNR_NUMC3LOGFILE_ALIAS FILE_ALIAS
4. Foreign KeysDefine foreign key relationship for the following fields:
- LOGFILE_APPL
- LOGFILE_ALIAS
a) Accept proposed check table and fields.
b) Activate the changes.
Create New View Maintenance
5. Create DDIC view V_FILEALIA:
a) Start transaction SE54.
b) Specify Table/View V_FILEALIA.
c) Select option ABAP Dictionary.
d) Choose function Create/change.Attribute ValueType ViewDevelopment Class SFILShort Text Aliases for Validation of File NamesTable FILEALIAS
e) View FieldsView field Table Field nameRCLNT FILEALIAS RCLNTLOGFILE_APPL FILEALIAS LOGFILE_APPLSEQNR FILEALIAS SEQNRLOGFILE_ALIAS FILEALIAS LOGFILE_ALIAS
f) Activate the changes.
6. Generate Objects
a) Start transaction SE54.
b) Specify Table/View V_FILEALIA.
c) Select option Generated Objects.
d) Choose function Create/change.Attribute ValueFunction Group1SFNAuthorization Group SCMaintenance Type one stepOverview screen 100
e) Choose function Create.
28.02.2013 Page 17 of 40
SAP Note 1497003 - Potential directory traversals inapplications
f) Follow the dialog to create the view maintenance objects.
Create New Messages
7. Start transaction SE91.
8. Specify message class SG.
9. Choose option Messages.
10. Choose function Change.
11. Create the following messages. Please note that due to formattingreasons spaces were added within the quoatation marks for theplaceholders (&1, &2, &3, &4). Please remove these spaces in yoursystem.
Number Short Text805 File '&1 &2 ' is not in the directory area '&3 &4 '.806 File name '&1 &2 ' is not permitted; a permissible file name is '&3 &4'.807 Logical file name '&1' does not exist808 Specify a file name in '&1 &2 '809 Logical file name '&1' not allowed
12. Save the changes.
Create New System Log Messages
13. Start transaction SE92.
14. Create the following messages:System log no.Short textCU Q Logical file name &A not configured. Physical file name &B cannot bevalidatedCU R Physical file name &B does not meet requirements set by logical filename &ACU S Logical file name &B is not a valid alias for logical file name &ACU T No validation active for logical file name &A
15. Save the changes.
Create New Function Modules
16. FILE_GET_LOGFILE_ALIAS
a) Go to transaction SE37.
b) Specify function module FILE_GET_LOGFILE_ALIAS.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_GET_LOGFILE_ALIAS
28.02.2013 Page 18 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Function groupSFILShort text FILE_GET_LOGFILE_ALIAS
e) Create the following import parameters:Import parameter Typing Associated Type Default Value Optional PassvalueED_LOGFILE_APPL TYPE FILEINTERN XED_CLIENT TYPE MANDT SY-MANDT X X
f) Create the following table parameters:Changing parameters Typing Associated TypeCTS_ALIAS TYPE FILE_TS_FILEINTERN
g) Save the changes.
17. FILE_LOGFILE_ALIAS_F4
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_F4.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_F4Function groupSFILShort text FILE_LOGFILE_ALIAS_F4
e) Create the following import parameters:Import parameter Typing Associated Type Default Value Optional PassvalueED_LOGFILE_APPL TYPE FILEINTERN XED_PARAMETER_NAME TYPE FIELDNAME X XED_PROGRAM_NAME TYPE SYREPID SY-CPROG X XED_SCREEN_NUMBER TYPE SYDYNNR SY-DYNNR X X
f) Create the following changing parameters:CHANGING parameter Typing Associated TypeCD_LOGICAL_FILE TYPE FILEINTERN
g) Save the changes.
18. FILE_LOGFILE_ALIAS_PAI
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PAI.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PAIFunction groupSFILShort text FILE_LOGFILE_ALIAS_PAI
28.02.2013 Page 19 of 40
SAP Note 1497003 - Potential directory traversals inapplications
e) Create the following import parameters:Import parameter Typing Associated Type Default Value Optional PassvalueED_LOGFILE_APPL TYPE FILEINTERN
f) Create the following changing parameters:CHANGING parameter Typing AssociatedCD_LOGICAL_FILE TYPE FILEINTERN
g) Create the following exceptions:ExceptionEXC_INVALID_FILENAMEEXC_VALIDATION_ERROR
h) Save the changes.
19. FILE_LOGFILE_ALIAS_PBO
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PBO.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PBOFunction groupSFILShort text FILE_LOGFILE_ALIAS_PBO
e) Create the following import parameters:Import parameter Typing Associated Type Default Value Optional PassvalueED_LOGFILE_APPL TYPE FILEINTERN XED_PARAMETER_NAME TYPE FIELDNAME X X
f) Create the following changing parameters:CHANGING parameter Typing Associated TypeCD_LOGFILE_PARAM TYPE FILEINTERN X
g) Save the changes.
20. FILE_VALIDATE_NAME
a) Go to transaction SE37.
b) Specify function module FILE_VALIDATE_NAME.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_VALIDATE_NAMEFunction groupSFILShort text FILE_VALIDATE_NAME
28.02.2013 Page 20 of 40
SAP Note 1497003 - Potential directory traversals inapplications
e) Create the following import parameters:Import parameter Type spec. Reference field Proposal Optional PassValueCLIENT LIKE SY-MANDT SY-MANDT X XLOGICAL_FILENAME LIKE FILENAME-FILEINTERN XOPERATING_SYSTEM LIKE SY-OPSYS SY-OPSYS X XPARAMETER_1 X XPARAMETER_2 X XPARAMETER_3 X XWITH_FILE_EXTENSION X XUSE_BUFFER X XELIMINATE_BLANKS LIKE SY-DATAR X X
f) Create the following export parameters:Export parameters Typing Associated TypeVALIDATION_ACTIVE TYPE BOOLE_DTS_ALIAS TYPE FILE_TS_FILEINTERN
g) Create the following changing parameters:CHANGING parameter Typing Associated TypePHYSICAL_FILENAME TYPE CLIKE
h) Create the following exceptions:ExceptionLOGICAL_FILENAME_NOT_FOUNDVALIDATION_FAILED
i) Save the changes.
21. RSAU_WRITE_FILE_AUDIT_LOG
a) Go to transaction SE37.
b) Specify function module RSAU_WRITE_FILE_AUDIT_LOG.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name RSAU_WRITE_FILE_AUDIT_LOGFunction groupSECUShort text RSAU_WRITE_FILE_AUDIT_LOG
e) Create the following import parameters:Import parameter Typing Associated TypeIV_LOGICAL_FILE_PROBLEM TYPE IIV_PARAM_1 TYPE CLIKEIV_PARAM_2 TYPE CLIKE
f) Create the following exceptions:ExceptionPARAMETER_ERROR
g) Save the changes.
28.02.2013 Page 21 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Create New Includes
22. LSFILF03
a) Go to transaction SE38.
b) Specify program LSFILF03.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueTitle LSFILF03Type Include program
e) Save the changes.
------------------------------------------------------------------------|Manual Pre-Implement. |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_BASIS SAP Basis compo...|| Release 46C Until SAPKB46C61 || Release 46B Until SAPKB46B61 |------------------------------------------------------------------------
Please download the ZIP archive attached to this note corresponding to yourrelease (see table below), extract the transport files and import thetransport request(s) into your correction system.
Note: Releases 620 and 640Depending on the level of your basis support package you will have tocreate the function module RSAU_WRITE_FILE_AUDIT_LOG as described below.
Also, you need to create the program RSFILECR using transaction SE38.Please specify the following attributes when creating the program:Attribute ValueTitle RSFILECRPackage / Development Class SFIL
Release Independent InformationThe transport requests only contain part of the objects which need to bechanged for this security correction. Even if you import the transportrequest you still need to apply the correction instructions.
If you have decided to import the transport request as suggested you do notneed to read through the following instructions (exceptions for releases620 and 640 see above table).
28.02.2013 Page 22 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Alternative: Manual StepsIt is recommended that you import the transport file as described above.This highly reduces the potential for copy & paste errors or other errorswhen manually applying the necessary changes. Also, the transport filescontain long texts as well as translations of translation relevant objects.
If you decide to implement the corrections manually you need to implementthe correction instructions according to note 1543851 via SNOTE as wellsince they contain the changes to the individual objects which have to becorrected.However, since the correction instructions of note 1497003 are marked asprerequisite for the corresponding security notes of the individualapplication components you still need to execute SNOTE for note 1497003.When you execute SNOTE for note 1497003 be sure to remove the checkboxesfor all objects before continuing. The system will then request that youconfirm that the note has been completely implemented anyway. You have toconfirm this. Otherwise you will not be able to apply the correctioninstructions for the application components' security notes.If you do not remove the checkboxes while applying the correctioninstructions for note 1497003 in this scenario it is possible that(depending on your release and support package level) some corrections willbe applied twice resulting in syntax errors in central function groupsalmost making it impossible to perform any activities in the system.
If you are sure that you cannot import the attached transport request youhave to perform the following manual steps. Please note that depending onyour basis release and support package you will have to create additionalobjects (like programs, function modules, etc.) manually before being ableto implement the corrections automatically via SNOTE.
Add Fixed Value for Domain FILEFORMATFixed value Short textDIR Check directory for file name validationActivate the changes.
Create New Data Element FILE_ALIASAttribute ValueShort Text Alias for a Logical File NameDomain Name FILEINTERNShort Text AliasMedium Text Alias Logical FileLong Text Alias for a Logical File NameHeader Alias for a Logical File NameActivate the changes.
Create New Data Element FILE_LAPPLAttribute ValueShort Text Logical File Name of the ApplicationDomain Name FILEINTERNShort Text FileMedium Text Application: FileLong Text Application: Logical File NameHeader Logical File Name of the ApplicationActivate the changes.
28.02.2013 Page 23 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Create New Structure FILE_TS_FI
1. General PropertiesAttribute ValueShort text Logical File Names
2. Field ListField Data ElementFILENAME FILEINTERNActivate the changes.
Create New Database Table FILEA31I
3. General PropertiesAttribute ValueShort Text Aliases for Validation of Logical File NamesDelivery ClassGTab.Maint.Allowed Checked
4. Field ListField Key Data ElementRCLNT X MANDTLOGFILE_AP X FILE_LAPPLSEQNR X SEQNRLOGFILE_AL FILE_ALIAS
5. Foreign KeysDefine foreign key relationship for the following fields:
- LOGFILE_AP
- LOGFILE_AL
a) Accept proposed check table and fields.
b) Activate the changes.
Create New View Maintenance
6. Create DDIC view V_FILEA31I:
a) Start transaction SE54.
b) Specify Table/View V_FILEA31I.
c) Select option ABAP Dictionary.
d) Choose function Create/change.Attribute ValueType ViewDevelopment Class SFILShort Text Aliases for Validation of File Names
28.02.2013 Page 24 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Table FILEA31I
e) View FieldsView field Table Field nameRCLNT FILEA31I RCLNTLOGFILE_AP FILEA31I LOGFILE_APSEQNR FILEA31I SEQNRLOGFILE_AL FILEA31I LOGFILE_AL
f) Active the changes.
7. Generate Objects
a) Start transaction SE54.
b) Specify Table/View V_FILEA31I.
c) Select option Generated Objects.
d) Choose function Create/change.Attribute ValueFunction Group1SFNAuthorization Group SCMaintenance Type one stepOverview screen 100
e) Choose function Create.
f) Follow the dialog to create the view maintenance objects.
Create New Messages
8. Start transaction SE91.
9. Specify message class SG.
10. Choose option Messages.
11. Choose function Change.
12. Create the following messages. Please note that due to formattingreasons spaces were added within the quoatation marks for theplaceholders (&1, &2, &3, &4). Please remove these spaces in yoursystem.
Number Short Text805 File '&1 &2 ' is not in the directory area '&3 &4 '.806 File name '&1 &2 ' is not permitted; a permissible file name is '&3 &4'.807 Logical file name '&1' does not exist808 Specify a file name in '&1 &2 '809 Logical file name '&1' not allowed
13. Save the changes.
Create New System Log Messages
28.02.2013 Page 25 of 40
SAP Note 1497003 - Potential directory traversals inapplications
14. Start transaction SE92.
15. Create the following messages:System log no.Short textCU Q Logical file name &A not configured. Physical file name &B cannot bevalidatedCU R Physical file name &B does not meet requirements set by logical filename &ACU S Logical file name &B is not a valid alias for logical file name &ACU T No validation active for logical file name &A
16. Save the changes.
Create New Function Modules
17. FILE_GET_LOGFILE_ALIAS
a) Go to transaction SE37.
b) Specify function module FILE_GET_LOGFILE_ALIAS.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_GET_LOGFILE_ALIASFunction groupSFILShort text FILE_GET_LOGFILE_ALIAS
e) Create the following import parameters:Import parameter Type spec. Reference field Proposal OptionalED_LOGFILE_APPL LIKE FILENAMECI-FILEINTERNED_CLIENT LIKE SY-MANDT SY-MANDT X
f) Create the following table parameters:Table parameters Type spec. Reference structure OptionalCTS_ALIAS LIKE FILE_TS_FI X
g) Save the changes.
18. FILE_LOGFILE_ALIAS_F4
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_F4.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_F4Function groupSFILShort text FILE_LOGFILE_ALIAS_F4
e) Create the following import parameters:
28.02.2013 Page 26 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Import parameter Type spec. Reference field Proposal OptionalED_LOGFILE_APPL LIKE FILENAME-FILEINTERNED_PARAMETER_NAME LIKE XED_PROGRAM_NAME LIKE SY-REPID SY-CPROG XED_SCREEN_NUMBER LIKE SY-DYNNR SY-DYNNR X
f) Create the following changing parameters:CHANGING parameter Type spec. Reference fieldCD_LOGICAL_FILE LIKE FILENAME-FILEINTERN
g) Save the changes.
19. FILE_LOGFILE_ALIAS_PAI
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PAI.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PAIFunction groupSFILShort text FILE_LOGFILE_ALIAS_PAI
e) Create the following import parameters:Import parameter Type spec. Reference field Proposal OptionalED_LOGFILE_APPL LIKE FILENAMECI-FILEINTERN
f) Create the following changing parameters:CHANGING parameter Type spec. Reference structureCD_LOGICAL_FILE LIKE FILENAMECI-FILEINTERN
g) Create the following exceptions:ExceptionEXC_INVALID_FILENAMEEXC_VALIDATION_ERROR
h) Save the changes.
20. FILE_LOGFILE_ALIAS_PBO
a) Go to transaction SE37.
b) Specify function module FILE_LOGFILE_ALIAS_PBO.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_LOGFILE_ALIAS_PBOFunction groupSFILShort text FILE_LOGFILE_ALIAS_PBO
e) Create the following import parameters:
28.02.2013 Page 27 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Import parameter Type spec. Reference field Proposal OptionalED_LOGFILE_APPL LIKE FILENAMECI-FILEINTERNED_PARAMETER_NAME LIKE X
f) Create the following changing parameters:CHANGING parameter Type spec. Reference structureCD_LOGFILE_PARAM LIKE FILENAMECI-FILEINTERN
g) Save the changes.
21. FILE_VALIDATE_NAME
a) Go to transaction SE37.
b) Specify function module FILE_VALIDATE_NAME.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name FILE_VALIDATE_NAMEFunction groupSFILShort text FILE_VALIDATE_NAME
e) Create the following import parameters:Import parameter Type spec. Reference field Proposal Optional PassValueCLIENT LIKE SY-MANDT SY-MANDT X XLOGICAL_FILENAME LIKE FILENAME-FILEINTERN XOPERATING_SYSTEM LIKE SY-OPSYS SY-OPSYS X XPARAMETER_1 X XPARAMETER_2 X XPARAMETER_3 X XWITH_FILE_EXTENSION X XUSE_BUFFER X XELIMINATE_BLANKS LIKE SY-DATAR X X
f) Create the following export parameters:Export parameters ReferenceVALIDATION_ACTIVE X
g) Create the following changing parameters:CHANGING parameter Type spec. Reference typePHYSICAL_FILENAME TYPE C
h) Create the following table parameters:Table parameters Reference structure OptionalTS_ALIAS FILE_TS_FI X
i) Create the following exceptions:ExceptionLOGICAL_FILENAME_NOT_FOUNDVALIDATION_FAILED
j) Save the changes.
28.02.2013 Page 28 of 40
SAP Note 1497003 - Potential directory traversals inapplications
22. RSAU_WRITE_FILE_AUDIT_LOG
a) Go to transaction SE37.
b) Specify function module RSAU_WRITE_FILE_AUDIT_LOG.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueFunction module name RSAU_WRITE_FILE_AUDIT_LOGFunction groupSECUShort text RSAU_WRITE_FILE_AUDIT_LOG
e) Create the following import parameters:Import parameter Reference typePass valueIV_LOGICAL_FILE_PROBLEM I XIV_PARAM_1 XIV_PARAM_2 X
f) Create the following exceptions:ExceptionPARAMETER_ERROR
g) Save the changes.
Create New Includes
23. LSFILF03
a) Go to transaction SE38.
b) Specify program LSFILF03.
c) Choose function Create.
d) Specify the following attributes:Attribute ValueTitle LSFILF03Type Include program
e) Save the changes.
------------------------------------------------------------------------|Manual Activity |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_APPL SAP Application || Release 31I Until SAPKH31IB8 || Release 40B Until SAPKH40B88 || Release 45B Until SAPKH45B66 |------------------------------------------------------------------------
After implementation of the correction instructions please use SA38 to runreport RSFILECR. RSFILECR will modify domain FILEFORMAT and generate
28.02.2013 Page 29 of 40
SAP Note 1497003 - Potential directory traversals inapplications
logical file names and paths according to the software components installedin your system. The program will request a transport request for thesechanges. You should use the same transport request that you used forimplementing the correction instructions.
Afterwards include the object list of the transport you imported in themanual pre-implementation step into this transport request.
This will result in all changes necessary for this note being contained inone single transport request which you can transport throughout the systemswhich should receive corrections from the correction system where youapplied the changes.
How to include the object list
o Start transaction SE09.
o Choose menu path Request/Task >> Display Individually (F5).
o Specify the transport request you used for implementation of theSNOTE correction instructions.
o Choose function Copy (Enter).
o Position the cursor on the transport request ID.
o Choose menu path Request/Task >> Object List >> IncludeObjects...
o Select option Object list from request and specify thetransport request ID of the transport request you imported duringthe manual pre-implementation step.
o Choose function Copy (Enter).
Additional activitiesAs described in the main text of the note you should either configure thelogical file names and paths created by RSFILECR or activate the systemlog.
------------------------------------------------------------------------|Manual Activity |------------------------------------------------------------------------|VALID FOR ||Software Component SAP_BASIS SAP Basis compo...|| Release 46C Until SAPKB46C61 || Release 46B Until SAPKB46B61 || Release 620 Until SAPKB62069 || Release 640 Until SAPKB64027 || Release 700 Until SAPKB70023 || Release 710 Until SAPKB71011 || Release 711 Until SAPKB71106 || Release 701 Until SAPKB70108 || Release 702 Until SAPKB70206 || Release 730 Until SAPKB73001 |
28.02.2013 Page 30 of 40
SAP Note 1497003 - Potential directory traversals inapplications
| Release 720 Until SAPKB72004 |------------------------------------------------------------------------
After implementation of the correction instructions please use SA38 to runreport RSFILECR. RSFILECR will modify domain FILEFORMAT and generatelogical file names and paths according to the software components installedin your system. The program will request a transport request for thesechanges. You should use the same transport request that you used forimplementing the correction instructions.
Afterwards include the object list of the transport you imported in themanual pre-implementation step into this transport request.
This will result in all changes necessary for this note being contained inone single transport request which you can transport throughout the systemswhich should receive corrections from the correction system where youapplied the changes.
How to include the object list
o Start transaction SE09.
o Choose menu path Request/Task >> Display Individually (F5).
o Specify the transport request you used for implementation of theSNOTE correction instructions.
o Choose function Copy (Enter).
o Position the cursor on the transport request ID.
o Choose menu path Request/Task >> Object List >> IncludeObjects...
o Select option Object list from request and specify thetransport request ID of the transport request you imported duringthe manual pre-implementation step.
o Choose function Copy (Enter).
Additional activitiesAs described in the main text of the note you should either configure thelogical file names and paths created by RSFILECR or activate the securityaudit log.
Header Data
Release Status: Released for CustomerReleased on: 02.02.2011 13:14:24Master Language: EnglishPriority: Correction with high priorityCategory: Program errorPrimary Component: BC-CCM-FIL Platform independent file names
28.02.2013 Page 31 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Valid Releases
Software Component Release FromRelease
ToRelease
andSubsequent
SAP_APPL 30 31I 31I
SAP_APPL 40 40B 40B
SAP_APPL 45 45B 45B
SAP_APPL 46C 46C 46C
SAP_BASIS 46 46A 46D
SAP_BASIS 60 610 640
SAP_BASIS 70 700 702
SAP_BASIS 71 710 730
SAP_BASIS NGAP 72L 72L
Support Packages
Support Packages Release Package Name
SAP_APPL 31I SAPKH31IB9
SAP_APPL 40B SAPKH40B89
SAP_APPL 45B SAPKH45B67
SAP_BASIS 46B SAPKB46B62
SAP_BASIS 46C SAPKB46C62
SAP_BASIS 46C SAPKB46C63
SAP_BASIS 620 SAPKB62070
SAP_BASIS 620 SAPKB62071
SAP_BASIS 640 SAPKB64027
SAP_BASIS 640 SAPKB64028
SAP_BASIS 640 SAPKB64029
SAP_BASIS 700 SAPKB70023
SAP_BASIS 700 SAPKB70024
SAP_BASIS 700 SAPKB70026
SAP_BASIS 701 SAPKB70108
SAP_BASIS 701 SAPKB70109
SAP_BASIS 701 SAPKB70111
SAP_BASIS 702 SAPKB70205
SAP_BASIS 702 SAPKB70206
SAP_BASIS 702 SAPKB70207
SAP_BASIS 702 SAPKB70209
SAP_BASIS 702 SAPKB70210
SAP_BASIS 710 SAPKB71012
SAP_BASIS 710 SAPKB71013
SAP_BASIS 710 SAPKB71014
SAP_BASIS 711 SAPKB71107
SAP_BASIS 711 SAPKB71108
SAP_BASIS 711 SAPKB71109
SAP_BASIS 720 SAPKB72004
28.02.2013 Page 32 of 40
SAP Note 1497003 - Potential directory traversals inapplications
Support Packages Release Package Name
SAP_BASIS 720 SAPKB72005
SAP_BASIS 720 SAPKB72006
SAP_BASIS 720 SAPKB72007
SAP_BASIS 730 SAPKB73001
SAP_BASIS 730 SAPKB73002
SAP_BASIS 730 SAPKB73004
SAP_BASIS 730 SAPKB73005
SAP_BASIS 730 SAPKB73007
Related Notes
Number Short Text
1775317 Directory traversal in IS-PS-CA
1775171 Directory traversal in FI-CA
1745442 RFIMPNBS - Potential directory traversals
1725378 Path evaluation for SAPFTP functionality in CA-DMS
1718378 Directory Traversal in Query Snapshot
1710330 Path evaluation for SAPFTP functionality in BC-SRV-KPR
