Solution : https://service.sap.com/sap/support/notes/626073 (SAP Service marketplace login required)
Summary :
The SAP Note addresses issues with missing authorization checks in certain internal Internet Communication Framework (ICF) services. Key services affected include /sap/bc/report, /sap/bc/xrfc, /sap/bc/FormToRfc, and others. For instance, /sap/bc/report fails to verify the existence of authorization groups for reports, potentially leading to unauthorized access unless corrected as advised. Additionally, vulnerabilities linked to cross-site scripting (XSS) in /sap/bc/echo and script injection concerns in /sap/bc/error are corrected with specific Support Packages. Users are advised to deactivate unused services via transaction SICF and implement patches or source code corrections as specified.
Key words :
generic internet communication framework, /sap/bc/soap/rfc, release 620 service /sap/bc/error, internet communication framework services, relevant abap source code, /sap/bc/error reason, service /sap/bc/report, service /sap/bc/echo, services /sap/bc/xrfc, release 610 support package sapkb62033
Related Notes :
| 1487606 | IDoc inbound processing via HTTP/SOAP |
| 1394100 | Security note: Access to RFC-enabled modules via SOAP |
| 711701 | Composite SAP note: Security in E-Recruiting |
| 566955 | SOAP Processor within SAP Web AS released |
| 481543 | Disabling HTTP services in WebAS 6.10 |
| 93254 | RFC short dump RFC_NO_AUTHORITY |