SAP Note 626073 - Unreleased Internet Communication Framework services

Component : Internet Communication Framework -

Solution : https://service.sap.com/sap/support/notes/626073 (SAP Service marketplace login required)

Summary :
The SAP Note addresses issues with missing authorization checks in certain internal Internet Communication Framework (ICF) services. Key services affected include /sap/bc/report, /sap/bc/xrfc, /sap/bc/FormToRfc, and others. For instance, /sap/bc/report fails to verify the existence of authorization groups for reports, potentially leading to unauthorized access unless corrected as advised. Additionally, vulnerabilities linked to cross-site scripting (XSS) in /sap/bc/echo and script injection concerns in /sap/bc/error are corrected with specific Support Packages. Users are advised to deactivate unused services via transaction SICF and implement patches or source code corrections as specified.

Key words :
generic internet communication framework, /sap/bc/soap/rfc, release 620 service /sap/bc/error, internet communication framework services, relevant abap source code, /sap/bc/error reason, service /sap/bc/report, service /sap/bc/echo, services /sap/bc/xrfc, release 610 support package sapkb62033

Related Notes :

1487606IDoc inbound processing via HTTP/SOAP
1394100Security note: Access to RFC-enabled modules via SOAP
711701Composite SAP note: Security in E-Recruiting
566955SOAP Processor within SAP Web AS released
481543Disabling HTTP services in WebAS 6.10
93254RFC short dump RFC_NO_AUTHORITY