MAJOR SECURITY RISK (Re: RSWUWFML - with attachment to launch use r's SAP inbox)

Zmudzin,Tomasz,FRANKFURT,Extern LG-DM Tomasz.Zmudzin at de.nestle.com
Tue Nov 25 09:06:59 EST 2003 

Dear all,
 
please note that the solution below requires that CMD.EXE (the command
interpreter) be available from within the URL. However this is a MAJOR
security flaw (a textbook one!!) that should be avoided at all costs.
 
If you allow
 
   file:///cmd.exe "c:\...\sapshcut.exe"
 
there's no meaningful way of disabling
 
   file:///cmd.exe del c:\winnt\system\... -- DON'T TRY THIS AT HOME!!!
 
so in fact ANY user with access to your webserver can execute ANY command on
it -- something definitely not to be recommended. Don't do this.  If you
really need something similar, wrap your call in a specialized CGI script
that will be made available to the users. But NEVER EVER make the command
interpreter available this way.
 
Best regards,
Tomasz
 
 
-----Ursprungliche Nachricht-----
Von: Workflow99 at aol.com [mailto:Workflow99 at aol.com]
Gesendet: Dienstag, 25. November 2003 14:54
An: SAP-WUG at MITVMA.MIT.EDU
Betreff: Re: RSWUWFML - with attachment to launch user's SAP inbox
 
 
Nichloas,
 
Try making the URL exactly what you pasted into the DOS prompt. (Remove the
file:///cmd.exe and the quotes)
 
 
Regards,
Ramki Maley
Workflow Developer, USCBP.
248-613-1287 (C)
 
In a message dated 11/25/2003 8:02:22 AM Eastern Standard Time,
nicholas.n.brand at uk.ibm.com writes:
Hello,
 
A quick question on the email notification program.
 
We're using SAP v4.7.
 
Here's what we want to happen:
 
Users get notified by email when they have new workitems - the email has an
attachment or URL that when executed launches SAP, after logging on the
user is taken directly to his Business Workplace.
 
We've copied RSWUWFML and made some additions to it.
We can send an email with a url to the user's MSOutlook address.
The URL looks like this:
<file:///cmd.exe "c:\Program
Files\SAP\FrontEnd\sapgui\SAP\FrontEnd\sapgui\sapshcut.exe" -user=nberkland
-language=en -system=SRD -client=140 -sysname=R/3 DEV -command=SO01>
 
The <> enclosing the URL means MSOutlook interprets the whole string as a
URL.
 
If we click the URL from MSOutlook we get the message 'Cannot find
file...followed by the parameter list'
 
This URL does not work; yet if we paste part of it into a DOS prompt it
does work - i.e.
"c:\Program Files\SAP\FrontEnd\sapgui\SAP\FrontEnd\sapgui\sapshcut.exe"
-user=nberkland -language=en -system=SRD -client=140 -sysname=R/3 DEV
-command=SO01
 
Our ABAP developer assumed the <file:///cmd.exe command was an http command
to execute a file.
 
So, the question is how can we launch the same program (the SAPGUI
shortcut) from a URL, including passing the necessary parameters (e.g.
userid) from MSOutlook.
 
Can anyone provide the missing link? Hmmm
 
 
Kind regards,
Nicholas Brand

More information about the SAP-WUG mailing list