Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Note 1304803 reports can change transp requests? has anyone applied note?

Found the following notes

1304803 Security breach. Certain reports that do not have authorization check can create or change transport requests and change the piece list of a request

and

12988160 - Ability to execute undesired source code in the system using a special call of an RFC module (no further details as to what the 'undesired source code is' has been defined)

Has anyone applied these notes? if so how do you check if the hole exists and then after the note has been applied how does one verify that the security breach has been corrected?

Please advsie

Maria

Former Member
Former Member replied

>

> Found the following notes

> 1304803 Security breach. Certain reports that do not have authorization check can create or change transport requests and change the piece list of a request

> and

> 12988160 - Ability to execute undesired source code in the system using a special call of an RFC module (no further details as to what the 'undesired source code is' has been defined)

>

> Has anyone applied these notes? if so how do you check if the hole exists and then after the note has been applied how does one verify that the security breach has been corrected?

>

> Please advsie

>

> Maria

Via the corrections of the note, you will often be able to put the puzzle pieces together to be able to "test" whether it is corrected and how... The fact that there are sometimes follow-on notes to such program corrections is evidence of this. Some knowledge and creativity will be required for this.

If you want to be carefull of side affects (or find the guilty ones...) then try where-used-list look-ups on the objects being corrected to see where and how they are being used. Not 100% reliable because of dynamic coding techniques, but a good indicator for auditable development work...

Expressions such as "undesired source code" generally refer to remotely definable but internally executable source code, without appropriate checks in between.

If you cannot test it yourself and SAP releases the note as a "Security Note", then these are generally implementable without SAP standard consequences. If something in the z-custom world is bothered by it, you can normally be sure that you already have the problem "in da house"...

Cheers,

Julius

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question