Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Vulnerability in EPS_DELETE_FILE RFC function

Go to solution
Former Member

‎09-05-2011 12:25 PM

0 Kudos

Hi people,

I´m trying to understand the vulnerability rose in the last BlackHat but I think I´m not getting the point so I would like to ask to you what I´m missing.

As far as I understand, in case you have a user with access to FM EPS_DELETE_FILE or in case you are able to use TMSADM or SAPCPIC (because you know the password of them) you can delete files in any place where SAP (that is, sidadm) can access with proper rights.

If this is the vulnerability then I don´t understand it because in any case defined previously you can execute the FM and in its initial screen you can select any directory you want (DIR_NAME). So from my point of view, the problem is if you give access to that FM to someone undesirable but this is a different (role) problem.

So, because for sure is not so simple as I wrote before, means that I´m not undestanding something (or anything at all!). What am I missing??

Thanks,

Félix

1 ACCEPTED SOLUTION

Go to solution
arseni_gallardo
Active Participant

‎09-05-2011 2:28 PM

0 Kudos

Take a look to OSS note 1497003.

Edited by: Arseni Gallardo on Sep 5, 2011 3:29 PM

4 REPLIES 4

Go to solution
arseni_gallardo
Active Participant

‎09-05-2011 2:28 PM

0 Kudos

Take a look to OSS note 1497003.

Edited by: Arseni Gallardo on Sep 5, 2011 3:29 PM

Go to solution
Former Member
In response to arseni_gallardo

‎09-06-2011 8:02 AM

0 Kudos

Hi arseni,

Thanks for the reply. The problem that is written in the note is the one that I mentioned previously about the chance of a SAP user to access files in different directory. But, since the user can write the directory he wants in the FM input, I don´t see where is the problem.

Best regards,

Félix

Go to solution
martin_voros
Active Contributor
In response to arseni_gallardo

‎09-06-2011 10:13 AM

0 Kudos

Hi,

the problem with these directory traversal vulnerabilities is that they may allow a malicious user to read or delete files. For example imagine a program that maintain trace files. If users can enter a name to delete a particular trace file they can try to enter something like ../file to delete file outside of directory. Basically, it all comes back to always check input values.That note describes multiple mechanisms implemented by SAP to prevent these attacks.

Cheers

Go to solution
Former Member
In response to arseni_gallardo

‎09-06-2011 10:59 AM

0 Kudos

Ok, I didn´t realize that in FM EPS_DELETE_FILE you cant restrict access to specific directory thru S_DATASET object.

Thanks, Martin and Arseni