Michigan Department of Corrections Institutional and Community Corrections.
Code Corrections Llsaps-3271
7
Code Correction Instructions for LLSAPS-3271 – Fix of security issue with function module /IXOS/DC_H_REPORT_TAB_ENTRIES Reference LLSAPS-3271 (Rev. Apr 2013) Symptom Function module /IXOS/DC_H_REPORT_TAB_ENTRIES can be called via RFC and could be misused to insert harmful code. Reason and Prerequisites The function module is required to create dynamic code in the context of the DocuLink framework and therefore is needed to run DocuLink projects. Affected Releases Software Component Release Support Package Level DocuLink (transport, non Add-on) 9.5 (SAP R/3 4.6C and higher!) n/a OTEXBAS 9.5.1: 0951_46C 0 OTEXBAS 9.5.2: 0952_460 0 OTEXBAS 9.6.1: 0961_620, 0961_640, 0961_700 0,1,2 OTEXBAS 9.6.2: 0962_620, 0962_640, 0962_700 0, 1, 2, 3 OTEXBAS 9.8.0: 0980_620, 0980_640, 0980_700 0, 1, 2 OTEXBAS 10.0: 1000_620, 1000_640, 1000_700 0, 1, 2 Solution The code correction can be implemented for the affected releases and their support packages. It not only disables RFC but also includes checks to prohibit misuse. Code steps 1 -2 remove the RFC enabling and Code step 3 implements the additional checks. Attention: Code correction steps 1 – 2 need not be applied for versions older than OTEXBAS 9.6.1 support package 1. Furthermore code correction steps 1 -2 need not be applied for OTEXBAS 10.0 support package 2 and newer. In those versions the function module is not RFC enabled. Code correction step 3 can only be applied to SAP Systems with at least SAP Basis 4.6C (i.e. at least R/3 4.6C) or newer. Please do not forget to save and activate the changed code after modification.
-
Upload
nelsondarla12 -
Category
Documents
-
view
26 -
download
2
description
Code Corrections Llsaps-3271
Transcript of Code Corrections Llsaps-3271
Code Correction Instructions for LLSAPS-3271 – Fix of security issue with function module /IXOS/DC_H_REPORT_TAB_ENTRIES
Reference LLSAPS-3271 (Rev. Apr 2013)
Symptom Function module /IXOS/DC_H_REPORT_TAB_ENTRIES can be called via RFC and could be misused to
insert harmful code.
Reason and Prerequisites The function module is required to create dynamic code in the context of the DocuLink framework
and therefore is needed to run DocuLink projects.
Affected Releases Software Component Release Support Package Level
DocuLink (transport, non Add-on) 9.5 (SAP R/3 4.6C and higher!) n/a
OTEXBAS 9.5.1: 0951_46C 0
OTEXBAS 9.5.2: 0952_460 0
OTEXBAS 9.6.1: 0961_620, 0961_640, 0961_700
0,1,2
OTEXBAS 9.6.2: 0962_620, 0962_640, 0962_700
0, 1, 2, 3
OTEXBAS 9.8.0: 0980_620, 0980_640, 0980_700
0, 1, 2
OTEXBAS 10.0: 1000_620, 1000_640, 1000_700
0, 1, 2
Solution The code correction can be implemented for the affected releases and their support packages. It not
only disables RFC but also includes checks to prohibit misuse. Code steps 1 -2 remove the RFC
enabling and Code step 3 implements the additional checks.
Attention:
Code correction steps 1 – 2 need not be applied for versions older than OTEXBAS 9.6.1 support
package 1. Furthermore code correction steps 1 -2 need not be applied for OTEXBAS 10.0 support
package 2 and newer. In those versions the function module is not RFC enabled.
Code correction step 3 can only be applied to SAP Systems with at least SAP Basis 4.6C (i.e. at least
R/3 4.6C) or newer.
Please do not forget to save and activate the changed code after modification.
Code correction step 1 in: Function Module /IXOS/DC_H_REPORT_TAB_ENTRIES
Code correction: Start transaction se37 and enter Function module = /IXOS/DC_H_REPORT_TAB_ENTRIES
Click on Change.
Go to tab “Attributes” and in area “Processing type” change the radio button from Remote-Enable
Module to Normal Function module (see also image below)
Now change to tab “Import” and add a new optional parameter PI_NO_COMMIT_WORK of type
char1. (see image below)
Now change to tab “Source Code”.
Use “Replace” to implement the correction as a code modification.
Unchanged code section before replace:
WHEN 'Y'.
/IXOS/DC_TAREPY-PROJECT = PI_PROJECT.
/IXOS/DC_TAREPY-VERSION = PI_VERSION.
/IXOS/DC_TAREPY-PROG = PI_REPORTNAME.
/IXOS/DC_TAREPY-DELETE_REPORT = SPACE.
MODIFY /IXOS/DC_TAREPY FROM /IXOS/DC_TAREPY.
ENDCASE.
Code to be deleted/replaced:
COMMIT WORK.
Code to be inserted:
IF pi_no_commit_work NE 'X'.
COMMIT WORK.
ENDIF.
Unchanged code section after insertion:
ENDFUNCTION.
Code correction step 2 in: Include /IXOS/LDC_OF01
Code correction: After the modifications done, saved and activated in the function module.
Start transaction se38.
Enter field program = /IXOS/LDC_OF01.
Click on button Change.
Go to FORM generate_report.
Use “Replace” and “Insert” to implement the following corrections as code modifications.
Unchanged code section before replace:
IF g_started_from_gos = 'X'.
Code to be deleted/replaced:
CALL FUNCTION '/IXOS/DC_H_REPORT_TAB_ENTRIES' DESTINATION 'NONE'
Code to be inserted:
CALL FUNCTION '/IXOS/DC_H_REPORT_TAB_ENTRIES'
Unchanged code section after insertion and before next insertion:
EXPORTING
pi_project = pi_input-project
pi_version = pi_input-version
pi_tree_num = pi_input-tree_num
* pi_nodetype = pi_input-parent_nodetype
pi_nodetype = pi_input-nodetype
pi_datasource = pi_input-datasource
pi_usergroup = p_usergroup
pi_reportname = p_reportname
pi_update = l_update_flag
Code to be inserted:
pi_no_commit_work = 'X' " no db commit here
Unchanged code section after insertion:
TABLES
pt_source = lt_source.
ELSE.
Code correction step 3 in: Function Module /IXOS/DC_H_REPORT_TAB_ENTRIES
Code correction: Now we do a further change in function module /IXOS/DC_H_REPORT_TAB_ENTRIES.
Start transaction se37 and enter Function module = /IXOS/DC_H_REPORT_TAB_ENTRIES
Click on Change.
Change to tab “Source Code”.
Use “Insert” to implement the correction as a code modification.
Unchanged code section before insert:
DATA:
L_REPORTTYPE TYPE C.
CLEAR: L_REPORTTYPE.
MOVE: PI_REPORTNAME+10(1) TO L_REPORTTYPE.
Code to be inserted:
* do checks to prevent misuse of report generator
*
* Check 1: Do not allow reports outside
* DocuLink generated report name space
IF PI_REPORTNAME(10) NE '/IXOS/DC_R'
* Check 2: Do not allow reports with unknown type
OR L_REPORTTYPE NA 'CDHISABEFPRTY'.
EXIT.
ENDIF.
*
* Check 3: Have a closer look into callstack
DATA: lt_callstack TYPE sys_callst.
DATA: ls_callstack TYPE sys_calls.
CLEAR: ls_callstack, lt_callstack.
CALL FUNCTION 'SYSTEM_CALLSTACK'
IMPORTING
et_callstack = lt_callstack.
* Check 3a: If a cold type, then only allow inside "COLD"
IF L_REPORTTYPE EQ 'T'. " cold table call
READ TABLE lt_callstack INDEX 2 INTO ls_callstack.
" return if not called by correct function module
IF sy-subrc = 0.
IF ls_callstack-EVENTTYPE(4) NE 'FUNC'.
EXIT.
ENDIF.
IF ls_callstack-eventname NE '/IXOS/DC_P_GENERATE_T_REPORT'.
EXIT.
ENDIF.
ELSE.
EXIT.
ENDIF.
" Check 3b: all other reports are called inside DocuLink context
ELSE.
DATA: l_stloop TYPE i.
DATA: l_notok(1) TYPE c value ''.
l_stloop = 2.
WHILE l_stloop <= 4.
READ TABLE lt_callstack INDEX l_stloop INTO ls_callstack.
" return if not called by code in DocuLink context
IF sy-subrc = 0.
IF ls_callstack-progname(12) NE '/IXOS/SAPLDC'.
l_notok = 'X'.
EXIT.
ENDIF.
ELSE.
l_notok = 'X'.
EXIT.
ENDIF.
ADD 1 TO l_stloop.
ENDWHILE.
* exit, because callstack was not ok
IF l_notok EQ 'X'.
EXIT.
ENDIF.
" Check 3b: Now, as we have DocuLink context, we also check
" permission to call/see at least the DocuLink project
AUTHORITY-CHECK OBJECT 'J_6NG_PROJ'
ID 'J6NG_PROJ' FIELD pi_project
ID 'J6NG_VERS' FIELD pi_version
ID 'J6NG_VIEW' DUMMY
ID 'J6NG_NT' DUMMY.
IF sy-subrc <> 0.
EXIT.
ENDIF.
ENDIF.
Unchanged code section after insertion:
* Three steps:
************
* 1. Insert sourcecode into library
INSERT REPORT PI_REPORTNAME FROM PT_SOURCE.
************
* 2. Tadir entry for DevClass /IXOS/DC_GR, only if no update demand!
