- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- SAP Version Information in Response Data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SAP Version Information in Response Data
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2012 11:07 PM
Hi Team,
In a recent audit of our systems, one of the action items that has come out is the one I subjected.
How this is achieved: By simply viewing the source page of the browser one can get the technology and also the version of the software being used.
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/themes/portal/sap_tradeshow/prtl_std/prtl_std_ie6.css?7.1.10.0.0">
<LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/themes/portal/sap_tradeshow/glbl/glbl_ie6.css?7.1.10.0.0">
<!-- EPCF: BOB Core -->
<meta http-equiv="Content-Script-Type" content="text/javascript">
<script src="/irj/portalapps/com.sap.portal.epcf.loader/script/optimize/js13_epcf.js?7.01000082"></script>
<script>
<!--
EPCM.relaxDocumentDomain();
EPCM.init( {
Version:7.01000082,
Level:1,
PortalVersion:"7.0110.20110711113411.0000",
DynamicTop:false, // [service=true nestedWinOnAlias=false]
UAType:1, // [MSIE]
UAVersion:7.0,
UAPlatform:1, // [Win]
UIPMode:"1", // [Default=1, User=0, Personalize=true]
UIPWinFeatures:"",
How can we avoid this?
Thanks,
Varun
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2012 9:41 PM
You should actually report this to SAP via a customer message on the service.sap.com and not on SCN...
Generally this information is not protected by authentication and you can call public functions to display the data. the trick is to use a URLfilter on the webdispatcher to determine what the internal functions can call and what an externel caller can see.
Depending on how this "trade shop" is built this may be possible to avoid (blocking the HREF and calls to the "system info" functions) but then the stylesheet might not be able to be used as a nasty side effect as that is on the server side and already contains some release indication in it's name.
--> you should report this to SAP via Service Market Place.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2012 12:19 AM
Hi Varun,
May be some portal guy can help you in this to hide the data.
Thanks,
Varun Jain
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2012 9:41 PM
You should actually report this to SAP via a customer message on the service.sap.com and not on SCN...
Generally this information is not protected by authentication and you can call public functions to display the data. the trick is to use a URLfilter on the webdispatcher to determine what the internal functions can call and what an externel caller can see.
Depending on how this "trade shop" is built this may be possible to avoid (blocking the HREF and calls to the "system info" functions) but then the stylesheet might not be able to be used as a nasty side effect as that is on the server side and already contains some release indication in it's name.
--> you should report this to SAP via Service Market Place.
Cheers,
Julius
- SAP Managed Tags:
- Security
