Our SAP Portal system have been audited by IT security experts in order to find out vulnerabilities on the system that could compromise employees and managers confidential information and there were 2 security vulnerabilities detected in SAP Travel Management.
We are using the standard WD ABAP applications on Travel Management processes. The issues were detected on the attachments of the expense report / travel request. We use attachments for employees to upload risk assessment of the trip (PDF file) and in several countries they also use it to attach his scanned receipts of all expenses made on the business trip. The process is working fine and it is useful for employees, managers and travel auditors to confirm the information filled by the employee correspond to the expense type chosen and amount inputted.
The issue detected by IT security experts concerns the attachments and notes storage. As you can see on the following screen it is possible to store a note with embedded code. We did try to include the following code:
<i onmouseover=alert("c"+document.cookie); >X
This means that employee can included a malicious script on a attachment note that could be executed by his manager.
The above screen shows the activation of the script code during the approval process in the context of a manager.
The other vulnerability is also related to attachments but in this case on the file option: employees can store any type of documents with no restrictions (executable files,binary files, html files) that can contain malicious code like Trojans or other virus:
As far as I know SAP standard does not cover this security issues. Do you know if SAP has delivered any note to cover up this vulnerability. What are your suggestions to do a workaround here? Implement an enhancement implementation on this WD Component?
Many thanks in advance.