Hi Will,

If you double-left-click into one of the grey areas, then a picture of Lara Croft appears if you blink your eyes very fast and have hyperventilated for 60 seconds before hand.

Try it. It will work for sure... 🙂

Cheers,

Julius

Hmm, there must be a bug in the code Julius. I tried it several times, but all I saw was a picture of the Russian Ladies Shot Put champion? 😉

Having briefly been to Russia I can promise you that even some of the female shot putters are stunners.

MIGO_X1 still doesn't do anything on my screen although there is that brief flicker of a screen refreshing - damn I'm not quick enough on the printscreen button to catch either Lara or a shot puuter 🙂

Just tried creating a single role with just MIGO and defaulted SU24 MM_B object class authorisations and you can still bring up the debugger buttons via ok-tcode MIGO_DEBUG and seem to have some ability to bring in data:

eg

094715: Framework Crossreference

094715: ===================

094715:

094715: Registered viewers

094715: ---------------------------

094715: MIGO_ARCH

The trace shows no S_DEVELOP (RC=12) access as expected so I can't see it actually 'doing' anything but it does seem a little more open to abuse than I would have expected.

Debugging is a very central check - if you can change in the debugger then it does not actually matter anymore what the application does or which one you are using - same goes for secret toolbars.

I don't see any risk here, if you cannot debug anyway. And if you can, then all security is comprimised anyway.

Cheers,

Julius

MIGO_X1 will not do anything on your screen as it is a function which was not implemented for the ok-code list. Only MIGO_DEBUG is supported. From the debugger you can add anything you want to the ok.code list or create your own application (if authorized for the debugger).

When double-left-clicking you have to do it with more feeling for the application.

If you do it like Will did, then you see pictures of women mud wrestlers in the debugger.

If you click carefully, then a picture of Juergen Mueller dressed in drag appears.

If you time it correctly and added enough code in the debugger, then you see Heidi Klum.

If you switch to the system debugger and change variables there to => me, then a picture of me appears every time you hit any key on your keyboard until you leave MIGO and start it again without debug authorizations... 

What is a bit "not nice" is that MIGO keeps the mode, if it was found by the end user on the customer side.

I suggest you report it to SAP as left over debugging code and have it removed as a beatification task of the application. Or make it official and add it to the menu.

Cheers,

Julius

Hi Julius

Still no reply (at all) from SAP which is to say the least 'a little disappointing'...

Ah well - we tried

Cheers

David

Possibly they see no security gap in the secret workbench, so will just beautify it in an SP.

But an answer would have been nice, and not just a "tick mark".

Note that for vulnerabilities they should first be reported to SAP. Then after 90 days "admin grace" for the patch it becomes free game for discussion.

I actually used this command once already and found a nifty trick to provide display access to MIGO in this way. Perhaps that was your original intention?

Cheers,

Julius

Hmmm... the plot thickens and the water gets murkey in MIGO....  (LMIGOKR1 line 129)

************************************************************************

* Breakpoint for the secret toolbar. Do not remove!

************************************************************************

METHOD break_point.

  BREAK-POINT.                                             "#EC NOBREAK

ENDMETHOD.                    "break_point

Ah-ha! 🙂

And I'm now carefully backing out of SE38 and going back to things I understand a little better...

Aw, don't do that DB, you've started something here - I'm currently busy scanning 3,000 packages in development for comments containing the word Sche**e. Which may have been a result of the morning after the project party

Not that it's quiet or anything...

I took a deeper look into this, and for anyone who knows MIGO I think you will understand that it is not just a tcode but rather a central goods movement workbench and the screen programming is very complex.

You cannot Batch Input it (it offers internal and BAPI Function Modules as APIs to the various functions it can perform). The developers obviously have test cases to verify that dialog processing works but they cannot script it and want to re-use their tests...

So they choose the debugger as the weapon of choice and via this special mode compare their expected results to their data, and insert their data "one shot" into the debugger.

Such left over debugging code should ideally be removed before shipping to customers, but if you are not authorized to debug then you wont even get in there. And the functionality does not actually do anything (they probably removed the music after the development)

Now... if the secret toolbar functions for import from file would actually work in customer systems and one could add text for "David Berry" templates then you might gain a small user satisfaction from it (and might be invited to the next project party..  🙂

You will be much better off using transaction MASS (full support of BOR objects for mass processing) or a BAPI called from your own application.

Cheers,

Julius