cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to implement SAP Security Note 3218177

nickolai_korzan
Discoverer

on ‎09-15-2022 9:53 AM

Hi all,

I would like to clarify whether I am moving in the right direction.

We are going to implement SAP Security Note 3218177 ( https://launchpad.support.sap.com/#/notes/3218177).
We noticed that this note has a workaround. Do I understand correctly that in order to apply a workaround, we should perform the following steps:

1. Go to SIСF transaction
2. Find SAP GUI for HTML service
3. On the Service Data tab, click on the GUI Configuration button
4. In the dialog box that appears, add the webgui_updown_extension_denied parameter with the value xml.
I've attached the screenshot.

Is a system restart required after applying this setting?

Show replies
Show replies
DominikTylczyn
Active Contributor
‎09-15-2022 9:59 AM

The screenshot is missing.

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

DominikTylczyn
Active Contributor
‎09-15-2022 10:48 AM

Hello nickolai_korzan

As per note 3218177 - [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Ser... you best course of action is kernel upgrade. If you can't do that, then look at the workaround in the note 2305615 - WebGUI File Browser: extensions (MIME types) supported for opening files. As per this note:

The white list is set as value of the service parameter ~webgui_updown_extension_allowed, the black list is set as value of the service parameter ~webgui_updown_extension_denied.

The value of both service parameters should have the format:

extension|MIME type;extension|MIME type;...

For example:

~webgui_updown_extension_allowed=wav|audio/x-wav;dvi|application/x-dvi

~webgui_updown_extension_denied=zip|application/zip;tiff|image/tiff

So, your setting of ~webgui_updown_extension_denied to just xml is incorrect. It should be followed by MIME type.

As per https://en.wikipedia.org/wiki/XML_and_MIME:

There are two MIME assignments for XML data. These are:

application/xml (RFC 7303, previously RFC 3023)

text/xml (RFC 7303, previously RFC 3023)

Therefore I'd suggest setting ~webgui_updown_extension_denied to xml|application/xml;xml|text/xml

I don't think you need to restart after changes to SICF.

Best regards

Dominik Tylczynski

Show replies
Show replies
nickolai_korzan
Discoverer
‎09-15-2022 11:11 AM

Thank you very much for your reply. We will apply this workaround

Ask a Question