on 10-16-2008 4:42 PM
Hello,
I'm dealing with a security issue in BO XI 3.0 (I think it's the same with previous version) .When you send a document via email and if you uncheck the default settings, you can enter any email address into the "From" Field. Even your CEO's address. The only condition is that this address exists in the SMTP directory.
After looking on the forum, it's seems that it can't be fixed with any CMC settings. So I'm trying to secure it via the SDK. Does anyone has already done this before?
I have 2 ideas, could you tell me which one seems the better for you ?
When the "send email" form is populated, the idea is to retrieve the email of the connected user and fill the "From" field with it.
During the form validation, there is a javascript function called checkSMTP ( ). This function checks that the "from" field is filled. Maybe could I check that the email address filled in the field is the same than the email address of the user connected?
What do you think of those solution? Feasibility? Risk ? Security?
Any help will be nice.
Pierre
Before going the SDK way, have you tried setting the SMTPFrom context-param in the InfoViewApp WEB-INF/web.xml file?
Sincerely,
Ted Ueda
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I would suggest, if you have support, to open a SAP Incident and get clarification on why the behavior is inconsistent.
One of the dangers in modifying InfoView is that it's just not designed to be modified, and modifications will likely break with a new service pack (i.e., not something you'd want to move forward with).
Sincerely,
Ted Ueda
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.