SAP Note 1304803(Security Note : Changing a transport w/o authorization)

Similar Messages

• Note 1304803 reports can change transp requests? has anyone applied note?

  Found the following notes
  1304803 Security breach.  Certain reports that do not have authorization check can create or change transport requests  and change the piece list of a request
  and
  12988160 - Ability to execute undesired source code in the system using a special call of an RFC module (no further details as to what the 'undesired source code is'  has been defined)
  Has anyone applied these notes? if so how do you check if the hole exists and then after the note has been applied how does one verify that the security breach has been corrected?
  Please advsie
  Maria

  >
  Maria Graziano wrote:
  > Found the following notes
  > 1304803 Security breach.  Certain reports that do not have authorization check can create or change transport requests  and change the piece list of a request
  > and
  > 12988160 - Ability to execute undesired source code in the system using a special call of an RFC module (no further details as to what the 'undesired source code is'  has been defined)
  >
  > Has anyone applied these notes? if so how do you check if the hole exists and then after the note has been applied how does one verify that the security breach has been corrected?
  >
  > Please advsie
  >
  > Maria
  Via the corrections of the note, you will often be able to put the puzzle pieces together to be able to "test" whether it is corrected and how... The fact that there are sometimes follow-on notes to such program corrections is evidence of this. Some knowledge and creativity will be required for this.
  If you want to be carefull of side affects (or find the guilty ones...) then try where-used-list look-ups on the objects being corrected to see where and how they are being used. Not 100% reliable because of dynamic coding techniques, but a good indicator for auditable development work...
  Expressions such as "undesired source code" generally refer to remotely definable but internally executable source code, without appropriate checks in between.
  If you cannot test it yourself and SAP releases the note as a "Security Note", then these are generally implementable without SAP standard consequences. If something in the z-custom world is bothered by it, you can normally be sure that you already have the problem "in da house"...
  Cheers,
  Julius

• EWA does not report security notes missing and java systems

  Hello guys,
  Our early watch report don't contain section 7.1 with security notes missing in the system.
  We have solution manager 7.0 with ST-SER 700_2008_1 SP4.
  What do we need to configure so that ewa reports security notes missing?
  Another doubt, how can I get the list of security notes missing in java stack system like portal?
  thanks.
  regards,
  Filipe

  hello Filipe
  Below is a line from the SAP note 888889.
  "In the SAP EarlyWatch Alert report, the "Service Preparation Check" unit complains that Note 888889 is not implemented.  As a result, the check for security-relevant notes can only be carried out partially in the "Security" section."
  Looks like that could be the reason for that.
  For JAVA stack there is no note concept.
  Thanks & regards
  bala

• After upgrade to Tiger, Keychain does not show Secure Notes

  I've just finished upgrading from Panther to Tiger. I began with a Psync backup, did a fresh intall of Tiger on the boot drive, and have migrated user data manually. Everything is kosher except that Keychain 3.3 is not displaying any of my Keychain 3.1 Secure Notes.
  There doesn't seem to be anything wrong with the keychain itself. I can open it under Keychain 3.1 and it displays the notes just fine. I've also run Kechain 3.3 First Aid and it doesn't think there is a problem either.
  Any clues?

  I solved my problem, and of course the answer was staring me in the face the whole time. I keep a separate keychain for notes and certain other passwords, and this keychain had to be initially opened manually by double-clicking it. Information about secondary keychains is stored in the Keychain preferences file (which I had migrated over), but apparently was not enough to get Keychain 3.5 to open the file automatically. The keychain file only needs to be opened manually one time.
  Hope this saves somebody else a few minutes of frustration.

• Web Template not impacted after query changed and Transported

  Hi. All.
                      We have modified the query and transported to production But query changes not been
  impacted on Standard web teplate. But it works fine in Bex Analyzer.
                     Issue is there was a description was truncated earlier we used initially as short description.
  Later we mapped to Medium description and modified the entire flow and loaded. It works fine.
                    Only in production we are not seeing correct description in web report and it works fine with Analyzer. So we need to ask the user as after executing the report he needs to change characterstic property from Standard to Medium.
  But it would be bit inconvenience to users.
              So how can we solve this problem and why the query changes are not impacting on Web template.
  Please provide your views on this issue.
  Thanks & Regards
  Vijay

  Hi Vijay,
  one reason might be if you use the option "personalization" within the web template. If users can personalize the templates changes will not be visible and have to be deleted at the time a new version of the query is provided. There are background tables for the personalization as well where you can delete all objects for this template at once if necessary.
  Brgds,
  Marcel

• Do SAP Security Notes contain hacker and/or virus defence?

  Dear SCN fellows,
  I am new to this community and generally new to asking for SAP help in discussions and blogs.
  I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
  I am investigating a companies SAP Security settings against its policy and global market standards.  I have identified that since our SAP rollout SAP Security notes patches have not been maintained.  RSECNOTE provides a large list of missing security notes.  I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.
  Can anyone advise if my thoughts and questioning is heading in the right direction or have I got the concept of SAP Security Notes completely wrong?
  Thank you kindly.
  Paul

  Hi Paul,
  I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
  SAP releases respective security notes as per the loophole identification.  Once you run RSECNOTE you get the list of all applicable notes to your software release.
  Applying these notes will help you to remove the vulnerability SAP identified, So yes it contains solution to remove vulnerability.
  I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.
  Could you please elaborate it is not that clear to me.
  BR,
  Mangesh

• SAP Cookies does not have secure attribute

  Cookies remain without Secure Attribute after changing ticket_only_by_https = 1, SystemCookiesHTTPSProtection=true, and ume.logon.security.enforce_secure_cookie=True.
  1.)ABAP: sap-appcontext cookies
  2.)Portal: com.sap.engine.security.authentication.original_application_url   
  Security guidelines advice us to put all cookies into secure flag.
  1.) What are these cookies, the information it contain and how are they use?
  2.) Is it necessary to set this cookies to secure flag? If not is how does SAP handles possible cookie hijacking?

  Hi Jason,
  The cookie "com.sap.engine.security.authentication.original_application_url" is used to remember the originally called URL, when - to retrieve this URL - a logon is needed. After the successful login, it is used to redirect to the originally called application URL (and will be deleted then).
  It is also (mis)used to interpret for the SPNego login module if there already was a failed approach to login via SPNego. So if the auth request sees this cookie, it does not try to run SPNego but skips it.
  The value is encoded; only the information if the initial request was GET or POST is put in clear text in front of the value, separated by a "#" char.
  The code setting the cookie can be found in class com.sap.engine.interfaces.security.auth.AbstractWebCallbackHandler in line 1200++ - there someone could add the secure flag.
  Hope it helps
  Detlev

• Change and transport system not configured

  hi
  Please anybody help me on this. I installed SAP IDES4.7 on Win Xp with Oracle9.2. It is working good except one error. when i click on anymenu item in GUI a popup says " change and transport system not configured'.
  How to fix this?
  i appreciate your help in advance. Thanks
  Madhu

  Hi
  After installing SAP IDES4.7 u have to do post-installation.As a postinstallation u have to configure the STMS(sap transport management system)
  STMS is mainlly used for moving objects from one system to other system
  Regards
  kiran kumar.v

• SAP Note 1391072 - 1099 Legal Changes for 2009

  Hi,
  Can anyone please suggest how can I implement the SAP Note 1391072 - 1099 Legal Changes for 2009.
  This note is talking about import of some transport in system but I am not sure what need to be done.
  Please suggest how can I implement it.
  Thanks,
  Shilpa

  Hi All,
  This note is basically talking about import of transport in system and if you visit to Service.sap.com then you will get a zip file of transport. This zip file need to be imported in system...
  Thanks
  Shilp

• In Security, clicking on the "Saved Password" button displays your current saved password for each site. It does not allow you to change a password. How would you do that?

  In Security, clicking on the "Saved Password" button displays your current saved password for each site. It only allows you to view and delete site passwords. It does not allow you to change a password. How would you do that?

  If you enter a new password Firefox should offer to change the password.
  *You may not need to delete the old password. Try "Refreshing" the page, entering the site again, you may need to let Firefox fill in the old password, then enter the new password, and Firefox should ask to save the new password. See:
  **http://kb.mozillazine.org/Deleting_autocomplete_entries
  *If you delete the old password, you may need to "Refresh" the site after deleting the old password.
  If you want to delete the password that has been saved do the following:
  #In the Tools menu select Options to open the options window
  #Go to the Security panel
  #Click the "Saved Passwords" button to open the passwords manager
  #Select the site in the list, then click Remove
  <br />
  <br />
  '''You need to update the following.''' The Plugin version(s) shown below was/were submitted with your question and is/are out of date. You should update to avoid known security issues with the version(s) you have installed. Click on "More system info..." to the right of your question to see what was included with your question.
  *Adobe PDF Plug-In For Firefox and Netscape 8.3.0 (''Note: this is a very old version and installing the current version may not delete it or overwrite it. To avoid possible problems with having 2 versions installed on your system, you may want to remove the old version in Windows Control Panel > Add or Remove Programs before installing the new version'').
  *Shockwave Flash 10.3 r181 (''this may be current but a new version was released on 2011-06-14 with a ".26" after the "181". You can use the Plugin Check below and/or look in Add-ons > Plugins for the version of Shockwave Flash that you have installed. The newest version will be shown in Add-ons > Plugins as "Shockwave Flash 10.3.181.26"'').
  *Next Generation Java Plug-in 1.6.0_24 for Mozilla browsers
  #'''''Check your plugin versions''''' on either of the following links':
  #*http://www.mozilla.com/en-US/plugincheck/
  #*https://www-trunk.stage.mozilla.com/en-US/plugincheck/
  #*'''Note: plugin check page does not have information on all plugin versions'''
  #*There are plugin specific testing links available from this page:
  #**http://kb.mozillazine.org/Testing_plugins
  #'''Update Adobe Reader (PDF plugin):'''
  #*From within your existing Adobe Reader ('''<u>if you have it already installed</u>'''):
  #**Open the Adobe Reader program from your Programs list
  #**Click Help > Check for Updates
  #**Follow the prompts for updating
  #**If this method works for you, skip the "Download complete installer" section below and proceed to "After the installation" below
  #*Download complete installer ('''if you do <u>NOT</u> have Adobe Reader installed'''):
  #**SAVE the installer to your hard drive (save to your Desktop so that you can find it after the download). Exit/Close Firefox. Run the installer you just downloaded.
  #**Use either of the links below:
  #***https://support.mozilla.com/en-US/kb/Using+the+Adobe+Reader+plugin+with+Firefox ''(click on "Installing and updating Adobe Reader")''
  #***''<u>Also see Download link</u>''': http://get.adobe.com/reader/otherversions/
  #*After the installation, start Firefox and check your version again.
  #'''Update the [[Managing the Flash plugin|Flash]] plugin''' to the latest version.
  #*Download and SAVE to your Desktop so you can find the installer later
  #*If you do not have the current version, click on the "Player Download Center" link on the "'''Download and information'''" or "'''Download Manual installers'''" below
  #*After download is complete, exit Firefox
  #*Click on the installer you just downloaded and install
  #**Windows 7 and Vista: may need to right-click the installer and choose "Run as Administrator"
  #*Start Firefox and check your version again or test the installation by going back to the download link below
  #*'''Download and information''': http://www.adobe.com/software/flash/about/
  #**Use Firefox to go to the above site to update the Firefox plugin (will also install plugin for most other browsers; except IE)
  #**Use IE to go to the above site to update the IE ActiveX
  #*'''Download Manual installers'''.
  #**http://kb2.adobe.com/cps/191/tn_19166.html#main_ManualInstaller
  #**Note separate links for:
  #***Plugin for Firefox and most other browsers
  #***ActiveX for IE
  #'''Update the [[Java]] plugin''' to the latest version.
  #*Download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html (Java Platform: Download JRE)
  #**'''''Be sure to <u>un-check the Yahoo Toolbar</u> option during the install if you do not want it installed.
  #*Also see "Manual Update" in this article to update from the Java Control Panel in Windows Control Panel: http://support.mozilla.com/en-US/kb/Using+the+Java+plugin+with+Firefox#Updates
  #* Removing old versions (if needed): http://www.java.com/en/download/faq/remove_olderversions.xml
  #* Remove multiple Java Console extensions (if needed): http://kb.mozillazine.org/Firefox_:_FAQs_:_Install_Java#Multiple_Java_Console_extensions
  #*Java Test: http://www.java.com/en/download/help/testvm.xml

• HT5312 Am I do not know how to change my rescue email as it is wrong and in can not remember my answers to my security questions so I want to change them but I can't as I have the wrong rescue email anyone know how to change your rescue email

  Am I do not know how to change my rescue email as it is wrong and in can not remember my answers to my security questions so I want to change them but I can't as I have the wrong rescue email anyone know how to change your rescue email

  You won't be able to change it until you can answer 2 of your questions - you will need to contact iTunes Support / Apple to get the questions reset.
  Contacting Apple about account security : http://support.apple.com/kb/HT5699
  When they've been reset you can then use the steps half-way down the page that you posted from to update your rescue email address for potential future use.

• How to change the transport request of a NOTE without undoing the note

  When we applied the OSS NOTE we put it in a transport request. How can we move the objects into another transport request? Since this is a REPAIR type, SAP does not allow manual copy of the entries. I don't want to include the objects of this transport into another one, Is there any other way?

  1. Create a new transport request in SE01
  2. Select the request and click on "Include Objects: button.
  3. Select "Freely Selected Objects: option from the pop-up windoe
  4. Select "Selected Objects" option
  Now you see three rows without any PGMID selected.
  5. Check the checkbox corresponds to the row and enter the value OBJ & OBJNAME (Textbox without any label). (This valued can be retrieved from your previous request).
  6. Delete the same object from your previous request.
  7. Click on "execute" button.
  8. Click on "Save In request" button.

• Has anybody ever had their security questions changed and not have the answers?

  Has anybody ever had their security questions changed and not have the answers for an ipod touch? I cannnot buy music or access my itunes account now. Thank you for any help or direction. Phone support and apple express was a deadend.

  See Kappy's previous discussion.
  HT5312 How to recover security...: Apple Support Communities

• OK so i need to reset my security questions because i do not remember them,but the link that is given for my email is incorrect. i do not know how to change that?

  OK so i need to reset my security questions because i do not remember them,but the link that is given for my email is incorrect. i do not know how to change that?

  You need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
  They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
  (103340)

• SAP Security Note 1487730

  Last week we saw SAP releasing its SAP Security Notes as per its SAP Security Patch Day Practice .
  One of thenotes released was related to a BUG FIX in a Kernel as per note 1487730
  https://websmp130.sap-ag.de/sap/support/notes/1487330
  Now the issue goes this way .
  We are on Kernel 7.01 SP Level 79.
  According to the NOTE we need to be atleast on SP Level 103 .
  When I check out at Marketplace I can only Find SP Level 111 which is the latest and released on 14.10.2010 ie. 2 days after the NOTER was released .
  Apprantely we follow a Thumbs Rule here to Implement the Kernel which is lower than the latest Kernel .
  The issue is I cant find Kernel SP Level 103 .
  Is it safe to go for SP Level 111 .
  Our Database is ORACLE 10.2.0.4
  OS PLatform :- Solaris Sparc 64- Bit NON UNICODE
  Regards,
  Ashish .A. Poojary
  Edited by: Ashish Poojary on Oct 21, 2010 7:10 AM

  Hi Ashish,
  Generally the rule of N - 1 is followed for SAP Application patches and not for kernel.
  You can go for latest kernel, it will not be any problem.
  Thanks
  Anil