Skip to Content

Display of sensitive data in Community

Hello,


following a moderator suggestion, I'm posting this question here.
When uploading a file from my PC to the community let's say in
a question I ask, parts of the storage location and my I-number are
shown to everybody as they are being part of the attachments name.
An example would be 'cusersi123456desktopcomm02.jpg'.


This should be corrected.

Hendrik

Add comment
10|10000 characters needed characters exceeded

  • Thanks for that, Jeremy...although I was tempted to downvote simply because of what you chose to photograph. :)

    Joking aside, I updated a bug report to indicate that a) it affects more than SAP employees and b) may be limited to IE (possibly also Firefox).

  • Former Member Jerry Janda

    Hi Jerry.

    From my point of view it has nothing to do with being an SAP employee. I ran into the issue some days ago (w/ IE11 as Jeremy described below).

    Kr

    Martin

  • Thanks for notifying me, Martin. I have opened a bug ticket in the hopes of resolving.

  • Get RSS Feed

5 Answers

  • Best Answer
    Dec 14, 2016 at 04:41 PM

    Hi everybody,

    first I'm sorry that we haven't replied earlier.

    This one here is an important issue - exposing sensitive information is a real no-go. Unfortunately, the way how the file name on the server is generated is a core functionality by AnswerHub (the platform SAP Answers is using). We already opened a bug ticket to the vendor to get this resolved. However, you can influence this behavior yourself by changing a setting in the Internet Explorer.

    Open Tools -> Internet Options -> Security -> Custom level... and in the upcoming dialog search for Miscellaneous -> "Include local directory path when uploading files to a server". If you have this issue, it looks like that on your machine:

    Set this value to disabled and you're done!

    Most certainly this issue only occurs on SAP-operated machines as we have *.sap.com in the list of Trusted Sites in IE (Colleagues, just have a look there which sites are also trusted, it might be interesting). Of course, if you have *.sap.com in the list of trusted sites or you explicitly switched on this "feature" and you are not an SAP employee, this issue affects you as well.

    As mentioned, we are trying to get this issue solved in the core functionality by let the system only use the file name. Until then thank you for your understanding!

    Best regards,

    Sebastian
    for the SAP Community Team

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 30, 2016 at 09:33 PM

    This embedded picture here in my answer is coming from my C:\ drive, and in draft mode using IE 11, I see the current uploaded picture (I used my avatar image and gave myself a minor haircut by trimming the picture) below where I am typing. The file name is cjgoodpicturesjeremyjeremygood.jpg which is the full file path (minus the directory slashes).
    Add comment
    10|10000 characters needed characters exceeded

    • Windows 10 Enterprise 1511 here on my laptop, and it is reproducible. When DEV gets around to troubleshooting or digging deeper into this, I am happy to support their efforts to fix this.

  • Nov 30, 2016 at 08:25 PM

    I have not yet seen this described case and I uploaded many pictures already and I see many embedded pictures and attachments during the day.

    I just attached this and it has only the name, no directly, nothing from my user ID:

    csrfattack.png

    And yes, the displayed can be changed, click the link of the attachment and select Edit:

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 30, 2016 at 09:38 PM

    Apparently Chrome only uses the file name, so I guess you can say that I 'see' the problem. Same image, trimmed to the all seeing eye - so perhaps this is unique to IE ?

    Add comment
    10|10000 characters needed characters exceeded

    • Final test - comments and answers act the same in Chrome (only the file name is revealed after the upload), so if the DEV team can hear me, it would app'ear' that IE is causing this issue and not Chrome.

      jeremygood.jpg (34.5 kB)
  • Dec 01, 2016 at 06:31 AM

    Thanks to everybody investigating this!
    Indeed I only use the standard IE coming with the installation image.
    So far, I did not see this in other posts I was active in and where pictures

    were uploaded. Might also be related to the location where my pictures

    were stored, I did not try with something else as source such as C:\tmp.

    Add comment
    10|10000 characters needed characters exceeded