cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Attachment and note restrictions in SAP Travel Management

Go to solution
Former Member

on ‎07-25-2013 9:34 AM

0 Kudos

Hi experts,

Our SAP Portal system have been audited by IT security experts in order to find out vulnerabilities on the system that could compromise employees and managers confidential information and there were 2 security vulnerabilities detected in SAP Travel Management.

We are using the standard WD ABAP applications on Travel Management processes. The issues were detected on the attachments of the expense report / travel request. We use attachments for employees to upload risk assessment of the trip (PDF file) and in several countries they also use it to attach his scanned receipts of all expenses made on the business trip. The process is working fine and it is useful for employees, managers and travel auditors to confirm the information filled by the employee correspond to the expense type chosen and amount inputted.

The issue detected by IT security experts concerns the attachments and notes storage. As you can see on the following screen it is possible to store a note with embedded code. We did try to include the following code:

<i onmouseover=alert("c"+document.cookie); >X

This means that employee can included a malicious script on a attachment note that could be executed by his manager.

The above screen shows the activation of the script code during the approval process in the context of a manager.

The other vulnerability is also related to attachments but in this case on the file option: employees can store any type of documents with no restrictions (executable files,binary files, html files) that can contain malicious code like Trojans or other virus:

As far as I know SAP standard does not cover this security issues. Do you know if SAP has delivered any note to cover up this vulnerability. What are your suggestions to do a workaround here? Implement an enhancement implementation on this WD Component?

Many thanks in advance.

Best Regards,
AS

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Lukas_Weigelt
Active Contributor
‎07-25-2013 12:35 PM
0 Kudos

Hey André,

this is some interesting topic you're addressing here. As far as I know, there are no configuration possibilities provided to restrict the file types or file contents in the standard. I think Ankur's approach goes into the right direction, whereas the mentioned method only allows for manipulation of the handling of business documents, but not attachments, notes or hyperlinks. I'd rather create overwrite exits in the recpective action handler methods of View V_ATTA and parse the filenames and contents there.

Cheers, Lukas

Show replies
Show replies
former_member131723
Advisor
Advisor
‎07-25-2013 1:42 PM
0 Kudos

I also work in E-Recruiting component and I know some security notes have been released for issues such as XSRF at application level but E-Recruiting is obviously exposed to alot more external risk! That said though, there were also some corrections for attachments for the WD Layer. Did you check SAP notes in BC-WD-ABA, its definitely not a topic I have seen addressed to support recently in FI-TV anyways.

Sally

Former Member
‎07-25-2013 2:54 PM
0 Kudos

Hi André / Lukas

We did exactly that to restrict file types that can be uploaded. I guess you could check for length of title or similar to avoid malicious script as well.

Our code is in overwrite exit of ONACTIONUPLOAD in WD comp fitv_vc_trip_documents view V_ATTA

I've given the important part of coding below - hope you can use it - you could use maintenance table for allowed file types to avoid hardcoding as below :

DATA:
      objname TYPE string,
      file_ext TYPE string.

    CALL METHOD CL_FITV_GOS=>split_file_extension
    EXPORTING
      iv_filename_with_ext = lv_filefullname
    IMPORTING
      ev_filename          = objname
      ev_extension         = file_ext.

    TRANSLATE file_ext TO UPPER CASE.

    IF file_ext IS NOT INITIAL .
      IF file_ext NE 'DOC' "File type has to be one of these else give error message
        AND file_ext NE 'DOCX'
        AND file_ext NE 'JPG'
        AND file_ext NE 'XLSX'.

     "etc etc etc

*       report error message - possibly like this

        DATA lv_msg2 TYPE symsg.
        lv_msg2-msgty = 'E'.
        lv_msg2-msgid = 'YOUR_ID'.
        lv_msg2-msgno = 'YOUR_NO'.

CALL METHOD wd_comp_controller->mo_message_manager->report_attribute_t100_message
          EXPORTING
            msg            = lv_msg2
            element        = elem_context
            attribute_name = 'DATA'.
        RETURN.
      ENDIF.
    ENDIF.

Former Member
‎07-25-2013 2:58 PM
0 Kudos

Thanks Ankur, Lukas, Sally and Jan. That was exactly what I had in mind but I had a tiny hope that SAP would have already addressed this issue. Thanks Jan for sharing your code. It will help!

Answers (1)

Answers (1)

Former Member
‎07-25-2013 10:25 AM
0 Kudos

Hi Andre,

I don't think SAP has delivered any note for this but my suggestion would be to implement your logic in the method 'Save_Business_Doc' in the web dynpro component FITV_VC_TRIP_Documents. see below. Here you can write your logic and check the extension of the files, notes, links etc. based on what you would like to restrict.

Hope this helps

Ankur

Show replies
Show replies
Ask a Question