Hi Mary Jane
What a coincidence. We also had a similar security concern raised against malicious use of the SAP standard redirecturl parameter on any genuine public Internet service (ICF) logoff redirected to a dubious site.
E.g. https://example.com/sap/public/bc/icf/logoff?redirecturl=https://www.FakeLogonSite.com
In the logoff class method it makes use of an URL whitelist for ICF logoff services (if the whitelist is maintained). For each SAP ABAP system this is maintained in the table HTTP_WHITELIST: by adding allowed whitelist redirection entries:
ENTRY_TYPE: 21 (Redirect URL for ICF Logoff)
PROTOCOL: * (all protocols or particular protocols)
HOST: example.com (allowed host names to redirect to)
PORT: 0 (all ports or particular ports only)
URL: * (all allowed URL paths or particular URL masks).
Whitelisted redirect URLs are recommended to secure your SAP system as you may only want to redirect to the same SAP system or another single sign-on system to re-authenticate and nothing else after logoff..
Kind Regards
David
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.