Update: MAJOR SECURITY RISK (Re: RSWUWFML - with attachment t o launch user's SAP inbox)

Dart, Jocelyn jocelyn.dart at sap.com
Wed Nov 26 21:00:23 EST 2003 

Hi Nicholas,
In order for people to type in the command they would need to know critical details such as user id and password - which should not be given out freely of course.  However your link would hand it to them on a platter!
 
Please at least try the .R3M attachments - the standard email notification program will create that for you.  That gives you a standard SAP shortcut formatted correctly.  The user still has to log in of course. But you should NOT be sending user ids and passwords out in ANY link where they can be read.
 
And as I think I mentioned - the new extended email notifications will have a single-sign on link - this will be able to be loaded on earlier releases.  If the no-login option is critical to your project now, then you might want to consider asking to be a pilot customer for the new notifications program. In which case, Alan Rickayzen can assist with this process.
 
By the way if you what you are trying to do is use a generic user id for many users that is not only dangerous from a technical (loss of security) and functional perspective (loss of audit trail) but has licence/legal implications - so please don't go live with that without discussing your approach with your SAP account manager first.
Regards,
        Jocelyn Dart
Consultant (SRM, EBP, Workflow)
and co-author of the book
"Practical Workflow for SAP"
SAP Australia
email: jocelyn.dart at sap.com
phone: +61 412 390 267
fax:   +61 2 9935 4880
 
 
 
 
 
 
 
-----Original Message-----
From: Nicholas Brand [mailto:nicholas.n.brand at uk.ibm.com]
Sent: Thursday,27 November 2003 3:13 AM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Re: Update: MAJOR SECURITY RISK (Re: RSWUWFML - with attachment to launch user's SAP inbox)
 
 
Jocelyn and Tomasz,
 
Thanks for your replies.
A quick question - what would stop anyone from typing this command and
executing it anyway, even if it didn't come from a URL?
Also if this approach is done within a secure firewall does this change the
security issue as external users could be prevented from issuing such
commands?
 
We're also looking at the attachment route.
In particular, creating a .SAP file with relevant parameters (to launch the
SAPGUI) as an attachment to the outgoing email.
We can send out a .TXT file no problem but when we try and create the .SAP
file it arrives with most of the info truncated (we can view it in notepad
by saving it as a .TXT file when the email comes through).
We're investigating the point at which SAPconnect handles the email to
check whether this is where the truncation is occurring.
 
Any quick thoughts?
 
 
Kind regards,
Nicholas Brand
 
 
 
 
 
                      "Dart, Jocelyn"
                      <jocelyn.dart at sap.c        To:       SAP-WUG at MITVMA.MIT.EDU
                      om>                        cc:
                      Sent by: SAP               Subject:  Re: Update: MAJOR SECURITY RISK (Re: RSWUWFML - with attachment t o la unch
                      Workflow                    user's SAP inbox)
                      <Owner-SAP-WUG at MITV
                      MA.MIT.EDU>
 
 
                      26-11-03 00:34
                      Please respond to
                      "SAP Workflow
                      Users' Group"
 
 
 
 
 
 
Yes, exactly.
Nicholas, Use the R3M attachment option provided in the email notification
program if you want SAP shortcuts. This will be used where you specify that
you want form attachments but don't use a FORM step.
 
There's an improved shortcut option (with single sign-on capability) coming
in the new extended version...
Wait for Alan's mail on the release of the extended version though if you
are interested.
Regards,
        Jocelyn Dart
Consultant (SRM, EBP, Workflow)
and co-author of the book
"Practical Workflow for SAP"
Info on the book and where to get it at: http://www.workflowbook.com
SAP Australia
email: jocelyn.dart at sap.com
phone: +61 412 390 267
fax: +61 2 9935 4880
 
 
 
 
-----Original Message-----
From: Zmudzin,Tomasz,FRANKFURT,Extern LG-DM
[mailto:Tomasz.Zmudzin at de.nestle.com]
Sent: Wednesday,26 November 2003 1:28 AM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Update: MAJOR SECURITY RISK (Re: RSWUWFML - with attachment to la
unch user's SAP inbox)
 
 
I were so shocked by what I've seen that I've misread the print. The
analysis would thus be slightly different. However this still is a security
threat.
 
The details:
1. The file:// prefix instead of the usual CGI http://..../cgi-bin prefix
would actually mean that the command interpreter file is transferred to the
user's client machine before being executed. In other words -- the command
would be executed ON THE CLIENT MACHINE, NOT ON THE SERVER -- which is less
of a threat, but still dangerous.
 
2. The web browsers usually request that file:// requests be confirmed by
the users who can either save or execute the file.
-- Saving it won't help perform any operation, and is misleading to the
user
-- Executing the file will take where you need to go -- but opens the gate
to shell-level execution of system commands
-- The worst thing that can happen is that the bored user will tell the
browser to ALWAYS open .exe files by default (which is quite likely without
the technical background). This is a serious security threat as it will
also
work for external sites, which may (and will) contain malicious programs.
 
3. This approach also makes command shell available to the users -- which
may conflict with your company's policy anyway (think about Citrix access
--
Windows terminals often have cmd.exe disabled)
 
4. On very legal terms -- I'm not quite sure if it is legal to distribute a
part of Windows (cmd.exe) via the Web from the web server to other PCs!
Judging by the copyright disclaimer -- not really.
 
Best regards,
Tomasz
 
-----Ursprungliche Nachricht-----
Von: Zmudzin,Tomasz,FRANKFURT,Extern LG-DM
Gesendet: Dienstag, 25. November 2003 15:07
An: 'SAP Workflow Users' Group'
Betreff: MAJOR SECURITY RISK (Re: RSWUWFML - with attachment to launch
user's SAP inbox)
Wichtigkeit: Hoch
 
 
Dear all,
 
please note that the solution below requires that CMD.EXE (the command
interpreter) be available from within the URL. However this is a MAJOR
security flaw (a textbook one!!) that should be avoided at all costs.
 
If you allow
 
   file:///cmd.exe "c:\...\sapshcut.exe"
 
there's no meaningful way of disabling
 
   file:///cmd.exe del c:\winnt\system\... -- DON'T TRY THIS AT HOME!!!
 
so in fact ANY user with access to your webserver can execute ANY command
on
it -- something definitely not to be recommended. Don't do this.  If you
really need something similar, wrap your call in a specialized CGI script
that will be made available to the users. But NEVER EVER make the command
interpreter available this way.
 
Best regards,
Tomasz
 
 
-----Ursprungliche Nachricht-----
Von: Workflow99 at aol.com [mailto:Workflow99 at aol.com]
Gesendet: Dienstag, 25. November 2003 14:54
An: SAP-WUG at MITVMA.MIT.EDU
Betreff: Re: RSWUWFML - with attachment to launch user's SAP inbox
 
 
Nichloas,
 
Try making the URL exactly what you pasted into the DOS prompt. (Remove the
file:///cmd.exe and the quotes)
 
 
Regards,
Ramki Maley
Workflow Developer, USCBP.
248-613-1287 (C)
 
In a message dated 11/25/2003 8:02:22 AM Eastern Standard Time,
nicholas.n.brand at uk.ibm.com writes:
Hello,
 
A quick question on the email notification program.
 
We're using SAP v4.7.
 
Here's what we want to happen:
 
Users get notified by email when they have new workitems - the email has an
attachment or URL that when executed launches SAP, after logging on the
user is taken directly to his Business Workplace.
 
We've copied RSWUWFML and made some additions to it.
We can send an email with a url to the user's MSOutlook address.
The URL looks like this:
<file:///cmd.exe "c:\Program
Files\SAP\FrontEnd\sapgui\SAP\FrontEnd\sapgui\sapshcut.exe" -user=nberkland
-language=en -system=SRD -client=140 -sysname=R/3 DEV -command=SO01>
 
The <> enclosing the URL means MSOutlook interprets the whole string as a
URL.
 
If we click the URL from MSOutlook we get the message 'Cannot find
file...followed by the parameter list'
 
This URL does not work; yet if we paste part of it into a DOS prompt it
does work - i.e.
"c:\Program Files\SAP\FrontEnd\sapgui\SAP\FrontEnd\sapgui\sapshcut.exe"
-user=nberkland -language=en -system=SRD -client=140 -sysname=R/3 DEV
-command=SO01
 
Our ABAP developer assumed the <file:///cmd.exe command was an http command
to execute a file.
 
So, the question is how can we launch the same program (the SAPGUI
shortcut) from a URL, including passing the necessary parameters (e.g.
userid) from MSOutlook.
 
Can anyone provide the missing link? Hmmm
 
 
Kind regards,
Nicholas Brand

More information about the SAP-WUG mailing list