Skip to Content
7

Display of sensitive data in Community

Nov 25, 2016 at 07:29 AM

702

avatar image

Hello,


following a moderator suggestion, I'm posting this question here.
When uploading a file from my PC to the community let's say in
a question I ask, parts of the storage location and my I-number are
shown to everybody as they are being part of the attachments name.
An example would be 'cusersi123456desktopcomm02.jpg'.


This should be corrected.

Hendrik

10 |10000 characters needed characters left characters exceeded

I might expect the original filename to be visible, although that could easily be masked also I guess, but to make the whole file path, including in this case a user name, is definitely not a good idea.

Steve.

0

Is there a way to change this generated filename manually?

0

Hi, Hendrik:

I wonder if it has something to do with being an SAP employee -- although I've not heard of any other colleagues reporting this (or even experiencing it myself, for that matter).

Let me check with some people and get back to you...

Best regards,

--Jerry

0

I provided some test cases below using IE 11 and Chrome. Problem appears to be constrained to IE - not sure about Firefox or other possible browsers.

0

Thanks for that, Jeremy...although I was tempted to downvote simply because of what you chose to photograph. :)

Joking aside, I updated a bug report to indicate that a) it affects more than SAP employees and b) may be limited to IE (possibly also Firefox).

1

Hi Jerry.

From my point of view it has nothing to do with being an SAP employee. I ran into the issue some days ago (w/ IE11 as Jeremy described below).

Kr

Martin

1

Thanks for notifying me, Martin. I have opened a bug ticket in the hopes of resolving.

0
* Please Login or Register to Answer, Follow or Comment.

5 Answers

Best Answer
Sebastian Wolf
Dec 14, 2016 at 04:41 PM
4

Hi everybody,

first I'm sorry that we haven't replied earlier.

This one here is an important issue - exposing sensitive information is a real no-go. Unfortunately, the way how the file name on the server is generated is a core functionality by AnswerHub (the platform SAP Answers is using). We already opened a bug ticket to the vendor to get this resolved. However, you can influence this behavior yourself by changing a setting in the Internet Explorer.

Open Tools -> Internet Options -> Security -> Custom level... and in the upcoming dialog search for Miscellaneous -> "Include local directory path when uploading files to a server". If you have this issue, it looks like that on your machine:

Set this value to disabled and you're done!

Most certainly this issue only occurs on SAP-operated machines as we have *.sap.com in the list of Trusted Sites in IE (Colleagues, just have a look there which sites are also trusted, it might be interesting). Of course, if you have *.sap.com in the list of trusted sites or you explicitly switched on this "feature" and you are not an SAP employee, this issue affects you as well.

As mentioned, we are trying to get this issue solved in the core functionality by let the system only use the file name. Until then thank you for your understanding!

Best regards,

Sebastian
for the SAP Community Team


Share
10 |10000 characters needed characters left characters exceeded
Jeremy Good
Nov 30, 2016 at 09:33 PM
0

This embedded picture here in my answer is coming from my C:\ drive, and in draft mode using IE 11, I see the current uploaded picture (I used my avatar image and gave myself a minor haircut by trimming the picture) below where I am typing. The file name is cjgoodpicturesjeremyjeremygood.jpg which is the full file path (minus the directory slashes).

Show 3 Share
10 |10000 characters needed characters left characters exceeded

Same thing seems to happen as a comment, but this time I trimmed my goatee, but uploaded the exact same picture.
0

I uploaded this in IE11, Windows 7, 32-bit, not part of a domain. I used a picture from a folder in my C drive.

I don't seem to encounter such issues.

No problems in Firefox ESR and Pale Moon either, I would have noticed that.

charlotte.jpg (370.1 kB)
1

Windows 10 Enterprise 1511 here on my laptop, and it is reproducible. When DEV gets around to troubleshooting or digging deeper into this, I am happy to support their efforts to fix this.

0
Jürgen L
Nov 30, 2016 at 08:25 PM
0

I have not yet seen this described case and I uploaded many pictures already and I see many embedded pictures and attachments during the day.

I just attached this and it has only the name, no directly, nothing from my user ID:

csrfattack.png

And yes, the displayed can be changed, click the link of the attachment and select Edit:


Share
10 |10000 characters needed characters left characters exceeded
Jeremy Good
Nov 30, 2016 at 09:38 PM
0

Apparently Chrome only uses the file name, so I guess you can say that I 'see' the problem. Same image, trimmed to the all seeing eye - so perhaps this is unique to IE ?


jeremygood.jpg (17.9 kB)
Show 1 Share
10 |10000 characters needed characters left characters exceeded

Final test - comments and answers act the same in Chrome (only the file name is revealed after the upload), so if the DEV team can hear me, it would app'ear' that IE is causing this issue and not Chrome.

jeremygood.jpg (34.5 kB)
0
Hans-Hendrik Weise
Dec 01, 2016 at 06:31 AM
0

Thanks to everybody investigating this!
Indeed I only use the standard IE coming with the installation image.
So far, I did not see this in other posts I was active in and where pictures

were uploaded. Might also be related to the location where my pictures

were stored, I did not try with something else as source such as C:\tmp.

Share
10 |10000 characters needed characters left characters exceeded