04-23-2009 4:39 PM
Note 1298160: Before applying this note you should be able to call any routine (IV_COMMAND) from any program (IV_CONTEXT) using FM TMS_CI_START_SERVICE. I haven't tested it so I don't know values from for other parameters. After applying this note you should not be able to use this gap.
When I execute TMS_CI_START_SERVICE, what is the correct import parameters for testing each of the following:
IV_SRCSYSTEM
IV_SRCDOMAIN
IV_SRCVERSION
IV_TARSYSTEM
IV_CONTEXT
IV_ACCESS
IV_EXECMODE
IV_SERVICE
IV_COMMAND
IV_SUPER
IV_TARCLIENT
IV_CALLER
I would like to execute this program and verify that the fix works.
04-27-2009 5:14 PM
It is sufficant to check if the note is appliend correctly:
Transaction SNOTE
-> Goto -> SAP Note Browser
Enter the note numbers as a selection for SAP Note Number:
1298160
Execute the report and check if you get the status "Completly implemented" for the note.
In addition you can check using SE37 if the code of the function module TMS_CI_START_SERVICE now contains the code which is shown in the correction instruction (it's somewhere at the beginning).
If you see the line
perform log_command tables tt_table using iv_command iv_context. exit.
than it's ok.
Kind regards
Frank Buchholz
Active Global Support - Security Services
04-27-2009 7:16 PM
This is a function module in a function group used by a SAP standard application, which contained coding which is not foreseen to be used externally.
To test it, just make sure that your usage of standard SAP STMS works as before. As SAP is indicating that no standard scenario was forseen for these parameters, so your customer testing risk is very low. Important is to apply the corrections.
My understanding of this note and the message with it is that SAP has tested their own scenarios and there is no use-case for them... so it is only misuse of the program code in the "illegal" parameters which would be blocked. That is what the patch intends to stop, and write syslog messages of attempts for - anticipating that it will become a popular "fun" parameter for "script kiddies"...
I recommend implementing these notes (and checking for similar coding techniques in your customer programs...).
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 8:16 PM
04-30-2009 6:38 PM